What version are you running?
2.5.3
What's the URL of the page containing the problem?
http://[reviewboard]/admin/settings/authentication/
What steps will reproduce the problem?
- Visit 'Authentication Settings' in admin section
- Set "Authentication Method" to "Active Directory"
- Set "Domain controller" to your DCs with port 636, eg. "mydc01.example.com:636 mydc02.example.com:636"
- Attempt to login will fail.
- Logs show "Active Directory: Domain controller is down"
Please provide any additional information below.
Port 636 is "LDAP over SSL". These URIs must have the schema "ldaps://", however "ldap://" is hard-coded into reviewboard auth:
reviewboard/accounts/backend.py
class ActiveDirectoryBackend
def get_ldap_connections
ldap_uri = 'ldap://%s:%s' % (host, port)Users should be able to supply the full ldap_uri in settings.AD_DOMAIN_CONTROLLER, rather than code piecing it together later. (Even better, ldaps:// should be the default for auto-discovery.)
Additionally, because AD certificates are typically self-signed, users should be able to supply certificates. Unrecognised certificates will also cause the "Domain controller is down" failure. Unfortunately it appears difficult to supply certificates system-wide for Python LDAP library use. Currently I add two lines before ldap.initialize(ldap_uri):
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND)
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/mydc01.example.com.crt')