Can't retrieve tls certificate when enabling TLS

RorFis commented 3 weeks ago

Describe the bug Trying to get tls certificate with openssl result in 806B2A7DCE7F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:303:

To Reproduce Steps to reproduce the behavior:

Connect to pod openldap-0 shell
run command openssl s_client -showcerts -connect localhost:1636
See error

Expected behavior Certificate tls.crt is retrieved

Additional context I've been trying to set up this helm chart to be able to connect to openldap with LDAPS from outside the kubernetes cluster with custom certificate. Kubernetes is on AWS EKS, the Helm Chart is deployed with ArgoCD. During my tests, I've been getting a lot of ldap_sasl_interactive_bind: Can't contact LDAP server (-1) so I decided to revert back to a more simple configuration and I disabled the use of custom certificates. Basically, now the only changes to the values.yaml are the following :

ldapDomain: "my.domain"
existingSecret: "my-secrets"

Ltb and PLA are disabled. I still get the same errors, so I connected to one of openldap's pod and checked for the certs with openssl : openssl s_client -showcerts -connect localhost:1636 I get the following :

CONNECTED(00000003)
806B2A7DCE7F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:303:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 297 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Doing the same thing while port-forwarding to my personnal machine gives me the same results. The same command while port-forwarding on the kubernetes service returns the following :

CONNECTED(000001E0)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 293 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

This seems weird to me since the same command on a On Prem LDAP and on a bitnami/openldap docker actually retrieves the certificate. I am trying to achieve end to end SSL with LDAPS and I am not sure how I can debug it now since I can't use openssl to test the SSL connection. Also, the pod's logs are full of closed (TLS negotiation failure) which I suppose is the connections for replication.

jp-gouin commented 3 weeks ago

Hi @RorFis

It works in the CI with openssl s_client -showcerts -servername example.com -connect localhost:30636

It 30636 because that's the port exposed, the internal pod is 1636

Are you able to run ldap search command ?

Can you provide the log of the first start of openldap-0 (the name might change depending on the install name)

You can use k logs pod_name --previous to get the correct execution

RorFis commented 3 weeks ago

Hi, Not sure to see where 30636 is exposed, I don't see it. I am able to run ldap search commands on port 1389 :

ldapsearch -v -H ldap://localhost:1389 -W -D cn=admin,dc=my,dc=domain -b dc=my,dc=domain
ldap_initialize( ldap://localhost:1389/??base )
Enter LDAP Password:
filter: (objectclass=*)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <dc=my,dc=domain> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

However on port 1636 I have the following error :

ldapsearch -v -H ldaps://localhost:1636 -W -D cn=admin,dc=my,dc=domain -b dc=my,dc=domain
ldap_initialize( ldaps://localhost:1636/??base )
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

The logs for openldap-0 are the following :

 08:14:38.59 INFO  ==> ** Starting LDAP setup **
 08:14:38.69 INFO  ==> Validating settings in LDAP_* env vars
 08:14:38.71 INFO  ==> Initializing OpenLDAP...
 08:14:38.71 DEBUG ==> Ensuring expected directories/files exist...
 08:14:38.75 INFO  ==> Using persisted data
 08:14:38.77 INFO  ==> ** LDAP setup finished! **

 08:14:38.82 INFO  ==> ** Starting slapd **
6694da6e.31f720d9 0x7f9a664c3740 @(#) $OpenLDAP: slapd 2.6.7 (May 13 2024 16:20:35) $
    @fd2dadcdc6ef:/bitnami/blacksmith-sandox/openldap-2.6.7/servers/slapd
6694da6e.338c91ac 0x7f9a664c3740 slapd starting
6694da74.14622584 0x7f9a257146c0 conn=1000 fd=14 ACCEPT from IP=X.X.X.X:41042 (IP=0.0.0.0:1389)
6694da74.1466775e 0x7f9a257146c0 conn=1000 fd=14 closed (connection lost)

and then it loops over the last 2 lines

jp-gouin commented 3 weeks ago

Are you running those commands inside the container ?

Unfortunately the log you provided is not the first exec of the container 08:14:38.75 INFO ==> Using persisted data

Can you delete the chart and make sure pvc are also deleted and reinstall the chart ?

edouardpagnier commented 3 weeks ago

hI @jp-gouin,

Thanks for the support !

We removed all PVCs and reinstalled the chart, running only one replica first.

Here is the log of the fisrt start:

`[38;5;6m [38;5;5m20:30:38.45 [0m[38;5;2mINFO [0m ==> Starting LDAP setup [38;5;6m [38;5;5m20:30:38.50 [0m[38;5;2mINFO [0m ==> Validating settings in LDAP_* env vars [38;5;6m [38;5;5m20:30:38.52 [0m[38;5;2mINFO [0m ==> Initializing OpenLDAP... [38;5;6m [38;5;5m20:30:38.52 [0m[38;5;5mDEBUG[0m ==> Ensuring expected directories/files exist... [38;5;6m [38;5;5m20:30:38.55 [0m[38;5;2mINFO [0m ==> Creating LDAP online configuration [38;5;6m [38;5;5m20:30:38.55 [0m[38;5;2mINFO [0m ==> Creating slapd.ldif [38;5;6m [38;5;5m20:30:38.59 [0m[38;5;2mINFO [0m ==> Starting OpenLDAP server in background 669586ee.23fd9055 0x7ff89cdfc740 @(#) $OpenLDAP: slapd 2.6.7 (May 13 2024 16:20:35) $ @fd2dadcdc6ef:/bitnami/blacksmith-sandox/openldap-2.6.7/servers/slapd 669586ee.24c12b7e 0x7ff89cdfc740 slapd starting [38;5;6m [38;5;5m20:30:39.60 [0m[38;5;2mINFO [0m ==> Configure LDAP credentials for admin user SASL/EXTERNAL authentication started 669586ef.24f2b7d9 0x7ff857fff6c0 conn=1000 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi) 669586ef.24f59482 0x7ff857fff6c0 conn=1000 op=0 BIND dn="" method=163 669586ef.24f6959c 0x7ff857fff6c0 conn=1000 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" 669586ef.24f77380 0x7ff857fff6c0 conn=1000 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71 669586ef.24f80901 0x7ff857fff6c0 conn=1000 op=0 RESULT tag=97 err=0 qtime=0.000016 etime=0.000199 text= SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth SASL SSF: 0 669586ef.24faea53 0x7ff857fff6c0 conn=1000 op=1 MOD dn="olcDatabase={2}mdb,cn=config" 669586ef.24fb4a05 0x7ff857fff6c0 conn=1000 op=1 MOD attr=olcSuffix 669586ef.2504eeb0 0x7ff857fff6c0 conn=1000 op=1 RESULT tag=103 err=0 qtime=0.000013 etime=0.000689 text= 669586ef.25087ab0 0x7ff857fff6c0 conn=1000 op=2 MOD dn="olcDatabase={2}mdb,cn=config" 669586ef.2508e598 0x7ff857fff6c0 conn=1000 op=2 MOD attr=olcRootDN 669586ef.251a7898 0x7ff857fff6c0 conn=1000 op=2 RESULT tag=103 err=0 qtime=0.000017 etime=0.001217 text= 669586ef.251c66d4 0x7ff857fff6c0 conn=1000 op=3 MOD dn="olcDatabase={2}mdb,cn=config" 669586ef.251ce66e 0x7ff857fff6c0 conn=1000 op=3 MOD attr=olcRootPW 669586ef.2520fa9f 0x7ff857fff6c0 conn=1000 op=3 RESULT tag=103 err=0 qtime=0.000015 etime=0.000330 text= 669586ef.2525d341 0x7ff857fff6c0 conn=1000 op=4 MOD dn="olcDatabase={1}monitor,cn=config" 669586ef.25264df4 0x7ff857fff6c0 conn=1000 op=4 MOD attr=olcAccess 669586ef.252c38f3 0x7ff857fff6c0 conn=1000 op=4 RESULT tag=103 err=0 qtime=0.000019 etime=0.000452 text= 669586ef.252eefcc 0x7ff857fff6c0 conn=1000 op=5 UNBIND 669586ef.252fdadb 0x7ff857fff6c0 conn=1000 fd=12 closed modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={1}monitor,cn=config"

[38;5;6m [38;5;5m20:30:39.62 [0m[38;5;2mINFO [0m ==> Adding LDAP extra schemas SASL/EXTERNAL authentication started 669586ef.25e12210 0x7ff857fff6c0 conn=1001 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi) 669586ef.25e36539 0x7ff8577fe6c0 conn=1001 op=0 BIND dn="" method=163 669586ef.25e7079d 0x7ff8577fe6c0 conn=1001 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" 669586ef.25e771a8 0x7ff8577fe6c0 conn=1001 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71 669586ef.2614ec59 0x7ff8577fe6c0 conn=1001 op=0 RESULT tag=97 err=0 qtime=0.000020 etime=0.003272 text= SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth SASL SSF: 0 669586ef.26320b9c 0x7ff857fff6c0 conn=1001 op=1 ADD dn="cn=cosine,cn=schema,cn=config" 669586ef.266603a7 0x7ff857fff6c0 conn=1001 op=1 RESULT tag=105 err=0 qtime=0.000020 etime=0.003459 text= 669586ef.266ebb0c 0x7ff8577fe6c0 conn=1001 op=2 UNBIND adding new entry "cn=cosine,cn=schema,cn=config"

669586ef.266fa53d 0x7ff8577fe6c0 conn=1001 fd=12 closed SASL/EXTERNAL authentication started 669586ef.26e43721 0x7ff857fff6c0 conn=1002 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi) 669586ef.26e85d77 0x7ff8577fe6c0 conn=1002 op=0 BIND dn="" method=163 669586ef.26e96b22 0x7ff8577fe6c0 conn=1002 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" 669586ef.26ea1454 0x7ff8577fe6c0 conn=1002 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71 669586ef.26ead413 0x7ff8577fe6c0 conn=1002 op=0 RESULT tag=97 err=0 qtime=0.000026 etime=0.000195 text= SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth SASL SSF: 0 669586ef.26f8339c 0x7ff857fff6c0 conn=1002 op=1 ADD dn="cn=inetorgperson,cn=schema,cn=config" 669586ef.27001f42 0x7ff857fff6c0 conn=1002 op=1 RESULT tag=105 err=0 qtime=0.000018 etime=0.000564 text= 669586ef.270771e3 0x7ff857fff6c0 conn=1002 op=2 UNBIND 669586ef.270966d0 0x7ff857fff6c0 conn=1002 fd=12 closed adding new entry "cn=inetorgperson,cn=schema,cn=config"

669586ef.27672074 0x7ff8577fe6c0 conn=1003 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi) SASL/EXTERNAL authentication started 669586ef.27716c57 0x7ff857fff6c0 conn=1003 op=0 BIND dn="" method=163 669586ef.277a02a5 0x7ff857fff6c0 conn=1003 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" 669586ef.277aa9c3 0x7ff857fff6c0 conn=1003 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71 669586ef.2780ad2d 0x7ff857fff6c0 conn=1003 op=0 RESULT tag=97 err=0 qtime=0.000026 etime=0.001029 text= SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth SASL SSF: 0 669586ef.27959967 0x7ff8577fe6c0 conn=1003 op=1 ADD dn="cn=nis,cn=schema,cn=config" 669586ef.27b93375 0x7ff8577fe6c0 conn=1003 op=1 RESULT tag=105 err=0 qtime=0.000021 etime=0.002393 text= adding new entry "cn=nis,cn=schema,cn=config"

669586ef.27ca09ba 0x7ff8577fe6c0 conn=1003 op=2 UNBIND 669586ef.27caee4a 0x7ff8577fe6c0 conn=1003 fd=12 closed SASL/EXTERNAL authentication started 669586ef.282a9b88 0x7ff857fff6c0 conn=1004 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi) 669586ef.282c148a 0x7ff8577fe6c0 conn=1004 op=0 BIND dn="" method=163 669586ef.282c98c7 0x7ff8577fe6c0 conn=1004 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" 669586ef.282cc677 0x7ff8577fe6c0 conn=1004 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71 669586ef.282d1c5e 0x7ff8577fe6c0 conn=1004 op=0 RESULT tag=97 err=0 qtime=0.000023 etime=0.000094 text= SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth SASL SSF: 0 669586ef.2835d27c 0x7ff857fff6c0 conn=1004 op=1 ADD dn="cn=module,cn=config" 669586ef.289106f6 0x7ff857fff6c0 conn=1004 op=1 RESULT tag=105 err=0 qtime=0.000338 etime=0.006340 text= adding new entry "cn=module,cn=config"

669586ef.2896b209 0x7ff8577fe6c0 conn=1004 op=2 UNBIND 669586ef.289779fa 0x7ff8577fe6c0 conn=1004 fd=12 closed SASL/EXTERNAL authentication started 669586ef.2a133e10 0x7ff857fff6c0 conn=1005 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi) 669586ef.2a142e2f 0x7ff8577fe6c0 conn=1005 op=0 BIND dn="" method=163 669586ef.2a1617ff 0x7ff8577fe6c0 conn=1005 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" 669586ef.2a16a005 0x7ff8577fe6c0 conn=1005 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71 SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth SASL SSF: 0 669586ef.2a1979aa 0x7ff8577fe6c0 conn=1005 op=0 RESULT tag=97 err=0 qtime=0.000015 etime=0.000366 text= 669586ef.2a20bb4c 0x7ff8577fe6c0 conn=1005 op=1 MOD dn="cn=config" 669586ef.2a219ba3 0x7ff8577fe6c0 conn=1005 op=1 MOD attr=olcServerID 669586ef.2a2ba826 0x7ff8577fe6c0 conn=1005 op=1 RESULT tag=103 err=0 qtime=0.000020 etime=0.000753 text= modifying entry "cn=config"

669586ef.2a368990 0x7ff8577fe6c0 conn=1005 op=2 UNBIND 669586ef.2a3ab7d7 0x7ff8577fe6c0 conn=1005 fd=12 closed SASL/EXTERNAL authentication started 669586ef.2ad795b6 0x7ff8577fe6c0 conn=1006 op=0 BIND dn="" method=163 669586ef.2ad8b9c3 0x7ff8577fe6c0 conn=1006 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" 669586ef.2ad91f2b 0x7ff8577fe6c0 conn=1006 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71 669586ef.2ad9c9d9 0x7ff8577fe6c0 conn=1006 op=0 RESULT tag=97 err=0 qtime=0.000042 etime=0.000193 text= SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth SASL SSF: 0 669586ef.2ad5f407 0x7ff857fff6c0 conn=1006 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi) 669586ef.2adf19cb 0x7ff8577fe6c0 conn=1006 op=1 ADD dn="olcOverlay=syncprov,olcDatabase={0}config,cn=config" 669586ef.2ae7773e 0x7ff8577fe6c0 conn=1006 op=1 RESULT tag=105 err=0 qtime=0.000016 etime=0.000590 text= adding new entry "olcOverlay=syncprov,olcDatabase={0}config,cn=config"

669586ef.2ae9192f 0x7ff857fff6c0 conn=1006 op=2 UNBIND 669586ef.2aea4026 0x7ff857fff6c0 conn=1006 fd=12 closed SASL/EXTERNAL authentication started 669586ef.2bbf1da8 0x7ff8577fe6c0 conn=1007 fd=12 ACCEPT from PATH=/opt/bitnami/openldap/var/run/ldapi (PATH=/opt/bitnami/openldap/var/run/ldapi) 669586ef.2bc0457d 0x7ff857fff6c0 conn=1007 op=0 BIND dn="" method=163 669586ef.2bc12877 0x7ff857fff6c0 conn=1007 op=0 BIND authcid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" 669586ef.2bc15d09 0x7ff857fff6c0 conn=1007 op=0 BIND dn="gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71 669586ef.2bc1bd5a 0x7ff857fff6c0 conn=1007 op=0 RESULT tag=97 err=0 qtime=0.000013 etime=0.000116 text= SASL username: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth SASL SSF: 0 669586ef.2bc43e4f 0x7ff8577fe6c0 conn=1007 op=1 MOD dn="olcDatabase={0}config,cn=config" modifying entry "olcDatabase={0}config,cn=config"

669586ef.2bc564ad 0x7ff8577fe6c0 conn=1007 op=1 MOD attr=olcSyncRepl olcMirrorMode 669586ef.2bc87135 0x7ff8577fe6c0 invalid bind config value binddn=cn=,cn=config 669586ef.2bc8edd9 0x7ff8577fe6c0 olcSyncrepl: value #0: :Error parse_syncrepl_line: unable to parse "binddn=cn=,cn=config" . 669586ef.2bc94773 0x7ff8577fe6c0 failed to add syncinfo 669586ef.2bc9cf39 0x7ff8577fe6c0 conn=1007 op=1 RESULT tag=103 err=80 qtime=0.000014 etime=0.000411 text=Error: parse_syncrepl_line: unable to parse "binddn=cn=,cn=config"

ldap_modify: Other (e.g., implementation specific) error (80) additional info: Error: parse_syncrepl_line: unable to parse "binddn=cn=,cn=config"

669586ef.2bcf6204 0x7ff8577fe6c0 conn=1007 op=2 UNBIND 669586ef.2bd048ed 0x7ff8577fe6c0 conn=1007 fd=12 closed 669586ef.2bf6704f 0x7ff85c8666c0 daemon: shutdown requested and initiated. 669586ef.2c019a44 0x7ff85c8666c0 slapd shutdown: waiting for 0 operations/tasks to finish 669586ef.2c1a89a2 0x7ff89cdfc740 slapd stopped.`

The error at the end: ldap_modify: Other (e.g., implementation specific) error (80) additional info: Error: parse_syncrepl_line: unable to parse "binddn=cn=,cn=config"

Not sure if this is related but it seems that some ldif files are missing in /opt/bitnami/openldap/share :

I've run your image locally (jpgouin/openldap:2.6.7-fix, which is working perfectly, ldaps included) and here is the content of /opt/bitnami/openldap/share: root@e1e2bd1868d9:/opt/bitnami/openldap/share# ls -l total 16 -rw-r--r-- 1 slapd slapd 568 Jul 15 17:02 admin.ldif -rw-r--r-- 1 slapd slapd 372 Jul 15 17:02 certs.ldif -rw-rw---- 1 slapd slapd 1594 Jul 15 17:02 slapd.ldif -rw-r--r-- 1 slapd slapd 947 Jul 15 17:02 tree.ldif

But in the pod openldap-0 created by the statefulset, I get this: I have no name!@openldap-0:/opt/bitnami/openldap/share$ ls -l total 4 -rw-rw---- 1 root root 2792 May 13 16:21 slapd.ldif

So we start thinking that the error at the first start might be related to the config not being complete. And our ldaps issue looks simply due to the certs.ldif file not being there.

Any idea ?

Thanks for your help

jp-gouin commented 2 weeks ago

That's what I suspect too.

Do you have a value set for global.adminUser ? the default one is admin

RorFis commented 2 weeks ago

Hi @jp-gouin

Indeed, the entire conf :

  adminUser: "admin"
  adminPassword: Not@SecurePassw0rd
  configUserEnabled: true
  configUser: "admin"
  configPassword: Not@SecurePassw0rd

was commented. Now that it is uncommented, the error is gone. I'm also able to get the certficates from the service now ! I still get these errors :

66962cbb.0f94a773 0x7f1a4affd6c0 slap_client_connect: URI=ldap://openldap-2.openldap-headless.openldap.svc.cluster.local:1389 Error, ldap_start_tls failed (-1)
66962cbb.1156baac 0x7f1a58f4b6c0 TLS certificate verification: Error, self-signed certificate

Not sure why the replication seems to start TLS on the ldap port and not ldaps. Any idea ? Also we noticed that the env variable LDAPTLS_REQCERT may have a missing underscore in values.yaml, should not it be LDAP_TLS_REQCERT ?

Thank you !

jp-gouin commented 2 weeks ago

Glad to hear !

yes starttls is a encryption mechanism on the ldap port . This machinism upgrade the communication to an encrypted one .

You should see some errors while waiting for all pods to start . And at runtime it’s normal to see some error due to the self signed certificate but this does not prevent the replication to run thanks to replication.tls_reqcert value.

I’m actively looking into fixing this

feel free to close the issue

jp-gouin / helm-openldap

Can't retrieve tls certificate when enabling TLS #179