Open Cinux90 opened 7 years ago
I have the same problem
we also have this problem. while playing around with
ldapwhoami -H ldap://ldap.example.com -x -ZZ
i noticed that it was not working from outside the container. there i got the following log lines:
58862bbd conn=1007 fd=16 ACCEPT from IP=10.20.0.50:46270 (IP=0.0.0.0:389) 58862bbd conn=1007 op=0 EXT oid=1.3.6.1.4.1.1466.20037 58862bbd conn=1007 op=0 STARTTLS 58862bbd conn=1007 op=0 RESULT oid= err=0 text= TLS: can't accept: No certificate was found.. 58862bbd conn=1007 fd=16 closed (TLS negotiation failure)
But from inside the openldap containter it seems to work:
58862bb8 conn=1006 fd=16 ACCEPT from IP=127.0.0.1:45578 (IP=0.0.0.0:389) 58862bb8 conn=1006 op=0 EXT oid=1.3.6.1.4.1.1466.20037 58862bb8 conn=1006 op=0 STARTTLS 58862bb8 conn=1006 op=0 RESULT oid= err=0 text= 58862bb8 conn=1006 fd=16 TLS established tls_ssf=128 ssf=128 58862bb8 conn=1006 op=1 BIND dn="" method=128 58862bb8 conn=1006 op=1 RESULT tag=97 err=0 text= 58862bb8 conn=1006 op=2 EXT oid=1.3.6.1.4.1.4203.1.11.3 58862bb8 conn=1006 op=2 WHOAMI 58862bb8 conn=1006 op=2 RESULT oid= err=0 text= 58862bb8 conn=1006 op=3 UNBIND 58862bb8 conn=1006 fd=16 closed
so how can this be solved? is this typical for a problem with the network configuration? or a dns reverse lookup problem? how can i test this?
I ran into the same issue and found a solution.
The problem arises from client verification and can be fixed by adding --env LDAP_TLS_VERIFY_CLIENT=try
to your docker run
command which according to the docs defaults to 'demand' (https://github.com/osixia/docker-openldap#defaultyaml).
Note that this will disable client authentication - if you ident do use that you might want to check all client certs are signed properly and CA certs are imported to your ldap server trust store.
@betagan thanks for the response indeed LDAP_TLS_VERIFY_CLIENT is set to demand
by default so the clients must provide a certificate signed by the ldap trusted ca authorities.
Possible values are : never | allow | try | demand http://www.openldap.org/doc/admin24/tls.html
It's not really a good idea to use the image default certificate and certificate authority.
I have this same issue. The suggested solution of:
--env LDAP_TLS_VERIFY_CLIENT=try
Not sure why it's not verifying the client certificate. Any reason for this?
Hi All,
i'm try to connect via jxeplorer to the docker container where ldapd is running in. Information which i use to connect to ldap via jxplorer:
Everytime a connection is successfully i face the dialog regarding the not trusted certificate. I can also show the certificat and see at the Subject this: CN=docker-light-baseimage So there should be a certificate exist.
But if i klick on "trust for this session" i face following error at the docker container:
of course without ssl its works well. But its not my intension to work without ssl.
If i check in the container how about certificates i found this:
i have no idea why its not found any certificate.
I have attach the output if i start the server by running following command:
docker run -it --name ldap -p 389:389 -p 636:636 osixia/openldap:1.1.7
ldap_start.txtI have no idea how to fix it. Maybe some of you will help to fix the issue?
greeting, Cinux90