search

osixia / docker-openldap

OpenLDAP container image 🐳🌴
MIT License
4.06k stars 978 forks source link

StartTLS connections fail - error x5b (91) #499

Open stodge opened 3 years ago

stodge commented 3 years ago

I am running OpenLDAP in a container, my docker command is:

sudo docker run \
             --detach \
             --restart unless-stopped \
             --name openldap \
             --volume /etc/ldap/ssl:/container/service/slapd/assets/certs \
             --volume /srv/openldap/var_lib_ldap:/var/lib/ldap \
             --volume /srv/openldap/etc_ldap_slapd.d:/etc/ldap/slapd.d \
             --hostname xxxx.xxx \
             --env LDAP_ORGANISATION=wheelybird \
             --env LDAP_TLS_CRT_FILENAME=ldap_server.pem \
             --env LDAP_TLS_KEY_FILENAME=ldap_server.key \
             --env LDAP_TLS_CA_CRT_FILENAME=ca_server.pem \
             --env LDAP_DOMAIN=wheelybird.com \
             --env LDAP_ADMIN_PASSWORD=PASSWORD \
             --env LDAP_RFC2307BIS_SCHEMA=true \
             --env LDAP_REMOVE_CONFIG_AFTER_SETUP=true \
             --env LDAP_TLS=true \
             --env LDAP_TLS_VERIFY_CLIENT=try \
             -p 389:389 \
             -p 636:636 \
             osixia/openldap:latest \
             --loglevel debug

My client website can connect and get users over a regular connection, but fails using StartTLS:

5fe0f486 conn=1020 fd=12 ACCEPT from IP=<IP>:53082 (IP=0.0.0.0:389)
5fe0f486 conn=1020 op=0 EXT oid=<OID>.20037
5fe0f486 conn=1020 op=0 STARTTLS
5fe0f486 conn=1020 op=0 RESULT oid= err=0 text=
5fe0f486 conn=1020 fd=12 TLS established tls_ssf=256 ssf=256
5fe0f486 conn=1020 fd=12 closed (connection lost)

The client website is a HumHub installation, and it only reports an error 91. A quick browse gives me:

the LDAP client has lost either its connection or cannot establish a connection to the LDAP server

Which doesn't tell me anything.

Any suggestions appreciated.

Thanks

williamdes commented 3 years ago

I had this error and I could debug it by using

-d 9

LDAPTLS_CERT=$(pwd)/mail.williamdes.eu.org.cer
LDAPTLS_KEY=$(pwd)/mail.williamdes.eu.org.key
LDAPTLS_CACERT=$(pwd)/ca.cer
ldapsearch -d 9 -Z -h ldap.mail.williamdes.eu.org -D "cn=John Pondu,ou=people,dc=mail,dc=williamdes,dc=eu,dc=org" -w 'JohnPassWord!645987zefdm' "*" -b "cn=John Pondu,ou=people,dc=mail,dc=williamdes,dc=eu,dc=org"

You can find more examples in https://github.com/desportes/infrastructure

I had to debug the following errors

Fixed by using ENVs on the CLI call

TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_start_tls: Connect error (-11)
    additional info: (unknown error code)

Fixed by adding the host to the cert

TLS: hostname (ldap.mail.williamdes.eu.org) does not match common name in certificate (mail.williamdes.eu.org).
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_start_tls: Connect error (-11)
    additional info: (unknown error code)