[bitnami/moodle] LDAPS Authentication not working with Microsoft AD

[Fail-Unsafe]

Name and Version

bitnami/moodle:4.2

What architecture are you using?

amd64

What steps will reproduce the bug?

I'm using Docker with the provided docker-compose.yml example with the content from here.

I try to configure an LDAPS connection to our domain controllers. It fails with the generic error seen below.

A normal LDAP connection works great, so this must be an issue specifically with LDAPS.

What is the expected behavior?

A working LDAPS connection just like its unencrypted counterpart.

What do you see instead?

The error: Object of class LDAP/Connection could not be converted to string. This message is too generic but I guess the ldap connector will not accept the domain controllers certificates.

Additional information

This is the same issue as this one: https://github.com/bitnami/charts/issues/17050

[javsalgar]

Hi,

Thank you so much for opening the ticket. With that error message, it seems to me that there could be an issue in the upstream project. Did you try reaching out the plugin developers?

[Fail-Unsafe]

Hi, not yet. I'm pretty sure that they would direct me to the maintainers of the Docker image. I think the problem is the location of the ldap.conf file (if it's used at all?). To be sure that the connection generally works I would like to use the TLS_REQCERT never directive.

Similar to this discussion (somewhat old): https://moodle.org/mod/forum/discuss.php?d=259530

[Fail-Unsafe]

A little update from me: Meanwhile I installed Moodle on a test system using the traditional setup, i.e. git checkout of the current release branch and configuring it manually.

The LDAPS connection works instantly. No problems encountered. So this is an issue with the docker image.

I copied our CA certificate to /usr/local/share/ca-certificates and ran "update-ca-certificates". Without these steps the LDAPS connection also fails, albeit with a different error message.

The relevant content of the /etc/ldap/ldap.conf file is as follows:

# TLS certificates (needed for GnuTLS) TLS_CACERT /etc/ssl/certs/ca-certificates.crt

I'm missing the opportunity to configure something similar in the Docker image. I tried various bind mounts into the docker container: I tested /etc/ldap/ldap.conf, /etc/ldap.conf and /etc/openldap/ldap.conf but nothing works.

[rafariossaa]

Hi, Just to have more context. The cert of the LDAP server, is it from a public PKI or it is private ? Could you share the errors you are getting ?

[Fail-Unsafe]

The certificates of the Domain Controllers are signed by a private PKI. On Linux we take that CA cert and copy it to /usr/local/share/ca-certificates and run "update-ca-certificates". The CA cert is then added to the system trust store, i.e. /etc/ssl/certs/ca-certificates.crt. This file is referenced in the ldap.conf example above.

However in the Docker image there seems to be no way to tell LDAP to use that certificate store or tell it to not validate certificates at all.

The error message from the Docker image is the too generic "The error: Object of class LDAP/Connection could not be converted to string."

[rafariossaa]

Hi, Sorry for the delay. In that case I would suggest you to ask in moodle forums, maybe other place is used to locate the CAs.