search

jp-gouin / helm-openldap

Helm chart of Openldap in High availability with multi-master replication and PhpLdapAdmin and Ltb-Passwd
Apache License 2.0
192 stars 116 forks source link

PhpLdapAdmin : connect to openldap with LDAPS and custom certificates #182

Closed RorFis closed 1 month ago

RorFis commented 1 month ago

Hi,

I'm trying to set up PhpLdapAdmin to connect to the openldap server through its ldaps port. I use custom certificates on openldap (certificates signed by my CA). Since it seems PLA cannot be configured to use ldaps port in values.yaml, I had to modify the following : PhpLdapAdmin values.yaml : 

---
env:
  PHPLDAPADMIN_HTTPS: "false"
  PHPLDAPADMIN_TRUST_PROXY_SSL: "true"
  PHPLDAPADMIN_LDAP_CLIENT_TLS_CA_CRT_FILENAME: ca.crt
  PHPLDAPADMIN_LDAP_CLIENT_TLS_CRT_FILENAME: tls.crt
  PHPLDAPADMIN_LDAP_CLIENT_TLS_KEY_FILENAME: tls.key
  PHPLDAPADMIN_LDAP_CLIENT_TLS_REQCERT: "never"
replicaCount: 1
image:
  repository: osixia/phpldapadmin
  tag: 0.9.0
  pullPolicy: IfNotPresent
  pullSecrets: []
initContainers: 
  - name: copy-ro-certs
    image: busybox
    command: ['sh', '-c', 'cp /tmp-certs/* /container/service/ldap-client/assets/certs/;']
    volumeMounts:
      - name: ldap-certs
        mountPath: /tmp-certs
      - name: pla-certs
        mountPath: /container/service/ldap-client/assets/certs
volumeMounts: 
  - mountPath: /container/service/ldap-client/assets/certs
    name: pla-certs
volumes: 
  - name: ldap-certs
    secret:
      secretName: openldap-tls-secrets
  - name: pla-certs
    emptyDir: {}
service:
  type: ClusterIP
  port: 80
  annotations: {}
ingress:
  enabled: false
  annotations: {}
  path: /
  tls: []
readinessProbe:
  httpGet:
    path: /
    port: http
livenessProbe:
   httpGet:
     path: /
     port: http
resources: {}
nodeSelector: {}
tolerations: []
affinity: {}

The idea here is to copy the ca certificates to trust the ldaps certificate. openldap-tls-secrets is composed of ca.crt, tls.key and tls.crt.

configmap.yaml : 

apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ template "phpldapadmin.fullname" . }}
  labels:
    app: {{ template "phpldapadmin.name" . }}
    chart: {{ template "phpldapadmin.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
{{- if .Values.extraLabels }}
{{ toYaml .Values.extraLabels | indent 4 }}
{{- end }}
data:
{{ toYaml .Values.env | indent 2 }}
  PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{ '{{ template "global.server" . }}'  : [{'server': [{'tls': True},{'port':{{ .Values.global.sslLdapPort }}}]},{'login': [{'bind_id': '{{ template "global.bindDN" . }}'  }]}]}]"

Here I changed the port to use sslLdapPort. On PLA, when trying to connect with the admin user, I get : image

On the openldap pods, I get the error : 

6697df2d.05320dbb 0x7fddc33326c0 conn=2167 fd=22 ACCEPT from IP=172.16.24.203:44910 (IP=0.0.0.0:1636)
6697df2d.05341d73 0x7fddc2b316c0 TLS: can't accept: error:0A00010B:SSL routines::wrong version number.
6697df2d.0535aec1 0x7fddc2b316c0 conn=2167 fd=22 closed (TLS negotiation failure)

The LDAPS port is working, I can ldapsearch locally from the pods as well as outside the cluster using the openldap service ( while trusting my custom certificates). Seems to me it is a trust issue. Am I missing something ?

jp-gouin commented 1 month ago

Looks like an ssl version mismatch. This is currently not supported , I ran across issues when I created the chart regarding ldaps and PLA . Feel free to investigate and propose a PR 🙂

RorFis commented 1 month ago

Ok Thank you !