This feature is only available for Shiny Server Pro.
The easiest way to confirm an SSL connection is to use the openssl
tool to connect to your LDAP server. If you do not already have the SSL certificates for your server, you can download them using this tool. If you run
openssl s_client -connect <LDAP server address>:<port> -showcerts
you should get significant output. (The default LDAPS port is 636.)
If you review this output, in particular the last few lines, you should see a "result". If there is a problem, it may say something likeVerify return code: 19 (self signed certificate in certificate chain)
, which indicates that there is an issue with trusting the SSL connection between you and your LDAPS server. If you see an error like the one above, you need to instruct your client to trust a particular Certificate Authority (CA) that the openssl
tool does not trust by default. Once you retrieve the CA certificate for your organization (which should also be the last certificate returned by the command above if you are actually connected to the right server), you can tellopenssl
to trust that CA by using a command in the format of
openssl s_client -connect <server-address>:<port> -CAfile <file.pem>
Assuming that the certificate matches the CA you provide, and that everything is in the right format, you should get a line of output from openssl
that says,Verify return code: 0 (ok)
. Once you see that, you know you have your CA certificate in the right format.
There is one important check that the openssl
tools does not perform that you should do before trying to use the certificate in Shiny Server Pro. You will need to confirm that the hostname you are using matches the SSL certificate. You can do that manually, or use curl
by running curl --cacert <file.pem> ldaps://<server-address>:<port>/
. If you see some LDAP output,perhaps starting with DN:
, and no errors, then things are working properly and you have the right hostname.
Once you have the CA certificate working in the above tests, then you are ready to apply it to Shiny Server Pro. The CA certificate should be in PEM format and only include one certificate per file. You can add these file references using the trusted_ca
setting in your Shiny Server Pro configuration as follows:
auth_ldap ... {
trusted_ca /etc/ssl/ca1.pem /etc/ssl/ca2.pem;
}
This example setting includes two CA certificates that Shiny Server Pro should trust. Shiny Server Pro should now be able to connect to your LDAPS server successfully when you attempt to authenticate users.
Comments