Can't contact LDAP server

dom6770 commented 5 months ago

We're currently trying to migrate our bare-metal installation of Group Office to a docker container. So far, everythings works except LDAP. It's 1:1 the same configuration as in our working non-docker instance, but yet in docker it says "Can't contact LDAP server", which is weird.

#7 {main}root@test-groupoffice:/usr/local/share/groupoffice# php cli.php community/ldapauthenticator/Sync/test --id=2 --username=fenrir --debug=1
109 [2024-04-16 13:30:20][cli: community/ldapauthenticator/Sync/test][log][go\modules\community\ldapauthenticator\model\Server:217] Connect to ldaps://kerberos.example.intern:7636
Connected
109 [2024-04-16 13:30:20][cli: community/ldapauthenticator/Sync/test][log][go\modules\community\ldapauthenticator\cli\controller\Sync:56] Find DN: "ou=SP-Users,dc=example,dc=at", Query: "uid=fenrir"
109 [2024-04-16 13:30:20][cli: community/ldapauthenticator/Sync/test][log][go\core\ErrorHandler:117] ErrorHandler::exceptionHandler() called with ErrorException
109 [2024-04-16 13:30:20][cli: community/ldapauthenticator/Sync/test][error][go\core\ErrorHandler:72] ErrorException in /usr/local/share/groupoffice/go/core/ldap/Record.php at line 98: ldap_search(): Search: Can't contact LDAP server
109 [2024-04-16 13:30:20][cli: community/ldapauthenticator/Sync/test][error][go\core\ErrorHandler:81] #0 [internal function]: go\core\ErrorHandler::errorHandler(2, 'ldap_search(): ...', '/usr/local/shar...', 98, Array)
109 [2024-04-16 13:30:20][cli: community/ldapauthenticator/Sync/test][error][go\core\ErrorHandler:81] #1 /usr/local/share/groupoffice/go/core/ldap/Record.php(98): ldap_search(Resource id #115, 'ou=SP-Users,dc=...', 'uid=fenrir')
109 [2024-04-16 13:30:20][cli: community/ldapauthenticator/Sync/test][error][go\core\ErrorHandler:81] #2 /usr/local/share/groupoffice/go/modules/community/ldapauthenticator/cli/controller/Sync.php(56): go\core\ldap\Record::find(Object(go\core\ldap\Connection), 'ou=SP-Users,dc=...', 'uid=fenrir')
109 [2024-04-16 13:30:20][cli: community/ldapauthenticator/Sync/test][error][go\core\ErrorHandler:81] #3 [internal function]: go\modules\community\ldapauthenticator\cli\controller\Sync->test('2', 'fenrir')
109 [2024-04-16 13:30:20][cli: community/ldapauthenticator/Sync/test][error][go\core\ErrorHandler:81] #4 /usr/local/share/groupoffice/go/core/cli/Router.php(186): call_user_func_array(Array, Array)
109 [2024-04-16 13:30:20][cli: community/ldapauthenticator/Sync/test][error][go\core\ErrorHandler:81] #5 /usr/local/share/groupoffice/go/core/cli/Router.php(127): go\core\cli\Router->callMethod(Object(go\modules\community\ldapauthenticator\cli\controller\Sync), 'test', Array)
109 [2024-04-16 13:30:20][cli: community/ldapauthenticator/Sync/test][error][go\core\ErrorHandler:81] #6 /usr/local/share/groupoffice/cli.php(42): go\core\cli\Router->run()
109 [2024-04-16 13:30:20][cli: community/ldapauthenticator/Sync/test][error][go\core\ErrorHandler:81] #7 {main}
Uncaught exception: ErrorException in /usr/local/share/groupoffice/go/core/ldap/Record.php at line 98: ldap_search(): Search: Can't contact LDAP server at 2024-04-16T13:30:20+00:00

#0 [internal function]: go\core\ErrorHandler::errorHandler(2, 'ldap_search(): ...', '/usr/local/shar...', 98, Array)
#1 /usr/local/share/groupoffice/go/core/ldap/Record.php(98): ldap_search(Resource id #115, 'ou=SP-Users,dc=...', 'uid=fenrir')
#2 /usr/local/share/groupoffice/go/modules/community/ldapauthenticator/cli/controller/Sync.php(56): go\core\ldap\Record::find(Object(go\core\ldap\Connection), 'ou=SP-Users,dc=...', 'uid=fenrir')
#3 [internal function]: go\modules\community\ldapauthenticator\cli\controller\Sync->test('2', 'fenrir')
#4 /usr/local/share/groupoffice/go/core/cli/Router.php(186): call_user_func_array(Array, Array)
#5 /usr/local/share/groupoffice/go/core/cli/Router.php(127): go\core\cli\Router->callMethod(Object(go\modules\community\ldapauthenticator\cli\controller\Sync), 'test', Array)
#6 /usr/local/share/groupoffice/cli.php(42): go\core\cli\Router->run()
#7 {main}

Debug dump: 

Connect to ldaps://kerberos.example.intern:7636
Find DN: "ou=SP-Users,dc=example,dc=at", Query: "uid=fenrir"
ErrorHandler::exceptionHandler() called with ErrorException
ErrorException in /usr/local/share/groupoffice/go/core/ldap/Record.php at line 98: ldap_search(): Search: Can't contact LDAP server
#0 [internal function]: go\core\ErrorHandler::errorHandler(2, 'ldap_search(): ...', '/usr/local/shar...', 98, Array)
#1 /usr/local/share/groupoffice/go/core/ldap/Record.php(98): ldap_search(Resource id #115, 'ou=SP-Users,dc=...', 'uid=fenrir')
#2 /usr/local/share/groupoffice/go/modules/community/ldapauthenticator/cli/controller/Sync.php(56): go\core\ldap\Record::find(Object(go\core\ldap\Connection), 'ou=SP-Users,dc=...', 'uid=fenrir')
#3 [internal function]: go\modules\community\ldapauthenticator\cli\controller\Sync->test('2', 'fenrir')
#4 /usr/local/share/groupoffice/go/core/cli/Router.php(186): call_user_func_array(Array, Array)
#5 /usr/local/share/groupoffice/go/core/cli/Router.php(127): go\core\cli\Router->callMethod(Object(go\modules\community\ldapauthenticator\cli\controller\Sync), 'test', Array)
#6 /usr/local/share/groupoffice/cli.php(42): go\core\cli\Router->run()

By installing ping and telnet inside the docker container, I can ping kerberos.example.intern, and telnet kerberos.example.internet 7363 without any issue. We use Univention LDAP.

dom6770 commented 5 months ago

LDAP Port
The UCS LDAP service can be reached via ports 7389 (unsecure) and 7636 (TLS encrypted). The UCS LDAP service has two dedicated ports:

Port 7389 (unsecure)
Port 7636 (TLS encrypted)

The unsecure port seems to work, but the TLS port not. When I use the encrypted port and TLS I get You have errors in your form. The invalid fields are marked. pointing to the hostname filed, when I select SSL I only get Failed to query user for authentication: ldap_search(): Search: Can't contact LDAP server. In both cases "Verify SSL certicate" is enabled. I even tried to build my own image which imports the UCS CA without any luck.

mschering commented 3 months ago

Is the server using a valid certificate? I noticed it will report that message also when TLS fails:

Intermesh / docker-groupoffice

Can't contact LDAP server #20