Kernel FIPS and AD/LDAP

Sean Horn -

The Chef Server LDAP module does not work when FIPS is enabled in the linux kernel.

Chef Server also has a FIPS mode. While in FIPS mode we use a custom version of the crypto library.  The library we use can be found here: https://github.com/chef/erlang-crypto2/blob/master/src/crypto.erl and that library does not include a generate_key function.

When folks attempt to login to a Manage instance running on a Chef Server that has been integrated with AD/LDAP and has a FIPS kernel module active, you will see messages similar to the following in /var/log/opscode/opscode-erchef/current when chef-server.rb has what would otherwise be the proper settings to communicate with an AD/LDAP server.

 

[error] gen_*** <****> in state hello terminated with reason: call to undefined function crypto**:generate***key******/2 from ssl_connection:*******/3 line 1531

[error] CRASH REPORT Process <> with 0 neighbours exited with reason: call to undefined function crypto**:generate***key*****(dh, [<<*******.>>,...]) in *******:terminate/7 line 626

[error] Failed to connect to ldap host or an error occurred during connection setup. Please check chef-server.rb for correct host, port, and encryption values: "connect failed"

[error] Supervisor tls_connection_sup had child undefined started with {tls_connection,start_link,undefined} at <*******> exit with reason call to undefined function crypto**:generate***key(**, [<<*******,...>>,...]) in context child_terminated

[error] {<<"method=POST; path=******/authenticate_user; status=504; ">>,"Gateway Timeout"}

 

This crypto:generate_key business and the failure to connect indicates that something is interfering with the communications. That something would be the FIPS kernel module.

In order to integrate a Chef Server with an AD/LDAP system, remove the FIPS module from the linux module.

Have more questions? Submit a request

Comments

Powered by Zendesk