Open legoheld opened 9 years ago
It looks like openldap required cipher suite can't be satisfied by your host. Try updating openssl / gnutls-bin on the host where you ran the ldapsearch command.
The other option is to be more permissive on the cipher suite :
Change or delete the line with olcTLSCipherSuite
in image/service/slapd/assets/config/tls/tls-enable.ldif
and rebuild the image.
Note that by default the tls configuration also require a client certificate so if you conform with the cipher suite you will probably have an other issue right away.
if you don't want to check client certificate also change olcTLSVerifyClient: demand
to olcTLSVerifyClient: never
in image/service/slapd/assets/config/tls/tls-enable.ldif
More help: http://www.openldap.org/doc/admin24/tls.html
A new version of the image is now available: 1.0.2
It's offer new TLS environment variables that make TLS configuration more customizable. (see project readme)
with the new image you can try :
docker run -p 390:389 -p 636:636 -h ldap.***.com --name="ldaps" -e LDAP_TLS_PROTOCOL_MIN=3.0 -e LDAP_TLS_CIPHER_SUITE=NORMAL -e LDAP_TLS_VERIFY_CLIENT=never -d osixia/openldap:1.0.2
and
ldapsearch -x -h ldap.***.com -p 390 -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin -Z
does it solve this issue ?
Hi, Thanks for your support! I tried and I get to following error on the client:
ldapsearch -x -h ldap.lernetz.ch -p 390 -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin -Z
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)
ldap_result: Can't contact LDAP server (-1)
Makes sense as you generate a self signed certificate that I dont trust on the client. Let me check that again with my own certificates. I will keep you informed.
Ran into the same issue, only I was providing my own real
certs. I think it has to do with gnutls. Will do more research and post back.
Thanks for the env variables LDAP_TLS_CIPHER_SUITE and LDAP_TLS_VERIFY_CLIENT, I had a similar situation and it worked once I set these variable as suggested.
I'm hitting this issue as well and can't seem to get it working even with the added options of... LDAP_TLS_VERIFY_CLIENT=never LDAP_TLS_PROTOCOL_MIN=3.0 LDAP_TLS_CIPHER_SUITE=NORMAL
On the client side, I'm running ldapsearch -d 1 -H ldaps://my-openldap:636 -Z
and getting...
A TLS packet with unexpected length was received
On the server side i'm seeing...
TLS: Can't accept: Could not negotiate a supported cipher suite..
Any thoughts?
My issue ended up being that gnutls/openssl on my server were not updated enough to support TLS_PROTOCOL_MIN 3.0 and the Normal Cipher (SECURE192:+VERS-SSL3.0)
The symptom is as following: I was able to handshake and get certificate via
openssl s_client -connect [client address and port]
but slapd log shows the error message using ldapsearch -H ldaps://xxx
TLS: unsupported cipher xxx
Ended up setting
LDAP_TLS_VERIFY_CLIENT=never LDAP_TLS_PROTOCOL_MIN=1.2 LDAP_TLS_CIPHER_SUITE=SECURE128:-VERS-SSL3.0:+VERS-TLS1.2
not the greatest security but was able to get the authentication going without issues.
@rudyzhou2 thanks for your feedback :)
Amazing container, made my ldap life so much easier! Thank you so much, really appreciate it!
I'd like to reopen this. Even downgrading the settings for TLS as above (and checking that I have those available), did not solve this for me. I still get the same error: "ignoring dhfile".
Any updates on those problems?
Out of the box 1.1.8 image fails on openldap | TLS: can't accept: Could not negotiate a supported cipher suite..
for 3977655f777a some.url:5000/teesnap-openldap:4 "/container/tool/run" 7 days ago Up 53 minutes 0.0.0.0:389->389/tcp, 0.0.0.0:636->636/tcp
Just in case that still in question here, e.g. for getting the LDAPS connection to work with nexus reporstory manager i had to add NORMAL: to SECURE256:-VERS-SSL3.0, so NORMAL:SECURE256:-VERS-SSL3.0
startTLS will work with SECURE256:-VERS-SSL3.0 though on other clients.
So maybe the default is a bit too tight, but maybe there is no such thing. You might just want the cipher selection to be part of the primary steps in the docs, since the clients are not too verbose about the connection issue and people could take a while. My client did not say anything, but the server logs did.
Any update?
When I run the latest image with:
And i try to search on the directory over LDAPS with:
I get to following log output and TLS negotiation failure:
I also tried to connect over ldaps:// with:
But I got the same "Could not negotiate a supported cipher suite.." exception. Is there anything I've done wrong or is there an issue with the image?