search

osixia / docker-openldap

OpenLDAP container image 🐳🌴
MIT License
4.05k stars 977 forks source link

connection lost #219

Open open7c opened 6 years ago

open7c commented 6 years ago

LDAP works very well without SSL. When enabling SSL, i can search successfully the Directory from an Ubuntu 17 Laptop, an Ubuntu 16.04 Server (Docker Host) but not from phpLDAPadmin (or from inside the phpLDAPadmin Container) and not via a Nextcloud Installation on this Server.

The errors are:

ldapsearch -H ldaps://ldap.example.com:9519 -b dc=ldap,dc=example,dc=com -D "cn=admin,dc=ldap,dc=example,dc=com" -w xxx -v

ldap_initialize( ldaps://ldap.example.com:9519/??base )
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

The Log of LDAP Server gives:

5afac80f conn=1014 fd=12 ACCEPT from IP=172.17.0.1:55090 (IP=0.0.0.0:636)
5afac80f conn=1014 fd=12 TLS established tls_ssf=256 ssf=256
5afac80f conn=1014 fd=12 closed (connection lost)

This is the Run Command:

docker run \
        --detach \
        --env LDAP_ORGANISATION="xxx" \
        --env LDAP_DOMAIN="ldap.example.com" \
        --env LDAP_ADMIN_PASSWORD="xxx" \
        --env LDAP_TLS_VERIFY_CLIENT=never \
        --env LDAP_TLS_REQCERT=try \
        --env LDAP_TLS_REQ_CERT=try \
        --env LDAP_TLS_CRT_FILENAME=cert.pem \
        --env LDAP_TLS_KEY_FILENAME=privkey.pem \
        --env LDAP_TLS_CA_CRT_FILENAME=fullchain.pem \
        --hostname ldap.example.com \
        --name ldap.example.com \
        --publish 9518:389 \
        --publish 9519:636 \
        --restart always \
        --volume /srv/docker/ldap.example.com/etc/ldap/slapd.d:/etc/ldap/slapd.d \
        --volume /srv/docker/ldap.example.com/var/lib/ldap:/var/lib/ldap \
        --volume /etc/letsencrypt:/container/service/slapd/assets/certs \
        --volume /etc/letsencrypt/archive/ldap.example.com/fullchain5.pem:/container/service/slapd/assets/certs/fullchain.pem \
        --volume /etc/letsencrypt/archive/ldap.example.com/cert5.pem:/container/service/slapd/assets/certs/cert.pem \
        --volume /etc/letsencrypt/archive/ldap.example.com/privkey5.pem:/container/service/slapd/assets/certs/privkey.pem \
        osixia/openldap:1.2.0 --copy-service

This is the Output of openssl s_client -connect ldap.example.com:9519 -verify 5 which has succeeded:

verify depth is 5
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = ldap.example.com
verify return:1
---
Certificate chain
 0 s:/CN=ldap.example.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=/CN=ldap.example.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3745 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: ADE4A4B499FDB4F2498618C42CEDAF599539F33CA5E8748C7C8459656EB72F33
    Session-ID-ctx: 
    Master-Key: A911C0967F55E6848B7438F3D88485DB88E162242204288B82B18778B093567412FB29E31A9CCA8F04CE66003F10B9E4
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1526385019
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

The Output of the failed machine:

verify depth is 5
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = ldap.example.com
verify return:1
---
Certificate chain
 0 s:/CN=ldap.example.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=/CN=ldap.example.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3749 bytes and written 302 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 81E7FB7B79BA7348990E22CCB5826A1F8C293B2573F31808DDACE34FDF896E98
    Session-ID-ctx: 
    Master-Key: 9363D3652DF5ADF2FD4B4D3BA16547958C3A5BAE175E02AE6393734AB77313A2CBE4C31739EC3ADD5348FC430E418C82
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1526385085
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
pasumarthivijaykumar commented 4 years ago

the same issue occured for me also, can you please let me know did you get that issue fixed ?

schmunk42 commented 4 years ago

While debugging another issue, I noticed that in the above config it seems that TLS is used which usually runs on port 389. SSL runs in 636