search

hlavki / g-suite-identity-sync

G Suite to LDAP identity synchronizer
Apache License 2.0
127 stars 29 forks source link

Failed to connect with TLS #70

Closed Angelin01 closed 3 years ago

Angelin01 commented 3 years ago

I'm trying to setup a fresh install, however my LDAP connection requires TLS and it seems the service fails when trying to connect because of this:

Caused by: LDAPException(resultCode=13 (confidentiality required), diagnosticMessage='confidentiality required', ldapSDKVersion=4.0.10, revision=b2272901fd62ad978017ff1aeb049cafc1999b12)

Now, I am using osixia/openldap and have configured the client TLS to "allow": LDAP_TLS_VERIFY_CLIENT: 'allow'. All my other applications can connect successfully.

There's nothing special in my config:

openldap:
    image: '${OPENLDAP_VERSION}'
    container_name: openldap
    hostname: '${LDAP_HOSTNAME}'
    command: ['--copy-service']
    restart: unless-stopped
    networks:
      ldap_in:
        aliases:
          - '${LDAP_HOSTNAME}.${COMMON_DOMAIN}'
    environment:
      LDAP_TLS: 'true'
      LDAP_TLS_CRT_FILENAME: 'fullchain.pem'
      LDAP_TLS_KEY_FILENAME: 'privkey.pem'
      LDAP_TLS_CA_CRT_FILENAME: 'fullchain.pem'
      LDAP_TLS_ENFORCE: 'true'
      LDAP_ORGANISATION: '**REDACTED**'
      LDAP_DOMAIN: '${COMMON_DOMAIN}'
      LDAP_BASE_DN: '${BASE_LDAP_DN}'
      LDAP_ADMIN_PASSWORD: '${LDAP_ADMIN_PWD}'
      LDAP_TLS_CIPHER_SUITE: 'NORMAL'
      LDAP_TLS_VERIFY_CLIENT: 'allow'
      LDAP_RFC2307BIS_SCHEMA: 'true'
    volumes:
      - ldap_db_volume:/var/lib/ldap
      - ldap_config_volume:/etc/ldap/slapd.d
      - '${CERT_DIR}:/container/service/slapd/assets/certs:ro'
    ports:
      - "389:389"

acc-manager:
    image: '${ACC_MANAGER_VERSION}'
    container_name: acc-manager
    hostname: '${ACC_MANAGER_HOSTNAME}'
    restart: unless-stopped
    networks:
      - ldap_in
      - nginx_in
    environment:
      LDAP_HOST: '${LDAP_HOSTNAME}.${COMMON_DOMAIN}'
      SLAPD_BIND_DN: 'cn=admin,${BASE_LDAP_DN}'
      SLAPD_BASE_DN: '${BASE_LDAP_DN}'
      SLAPD_PASSWORD: '${LDAP_ADMIN_PWD}'
      GSUITE_DOMAIN: '${COMMON_DOMAIN}'
      GSUITE_CLIENT_ID: '${GSUITE_ID}'
      GSUITE_CLIENT_SECRET: '${GSUITE_SECRET}'
    volumes:
      - identity-config:/opt/karaf/etc/identity
    ports:
    - '8181:8181'
    - '8101:8101'
    depends_on:
      - openldap

Is there any way to fix this?

hlavki commented 3 years ago

hi @Angelin01,

this is legit note, but unfortunately this software does not support it. I'll look on it as soon as possible.

hlavki commented 3 years ago

fixed in v0.5.0