search

osixia / docker-openldap

OpenLDAP container image 🐳🌴
MIT License
4.05k stars 977 forks source link

SSL issue when connecting from outside of the container(host machine) #543

Open vijaykumargumadi opened 3 years ago

vijaykumargumadi commented 3 years ago

while i am doing ldapsearch with startTLS inside the container it shows success message,

when connectiing from outside container with startTLS it shows error as :



> [root@node-2 ~]# ldapsearch -H ldap://192.168.10.211:1390 -D "cn=admin,dc=example,dc=com" -w admin -b "dc=example,dc=com" -Z
> ldap_start_tls: Connect error (-11)
>   additional info: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)
> ldap_result: Can't contact LDAP server (-1)

```NOTE: for startTLS i am using      [-Z](url)

**without startTLS:**

ldapsearch -H ldap://192.168.10.211:1390 -D "cn=admin,dc=example,dc=com" -w admin -b "dc=example,dc=com" 

**my containers:**

[root@node-2 ~]# docker ps
CONTAINER ID   IMAGE                        COMMAND                  CREATED          STATUS          PORTS                                          NAMES
b0535b66afca   osixia/openldap:1.4.0        "/container/tool/run"    51 seconds ago   Up 49 seconds   0.0.0.0:9289->389/tcp, 0.0.0.0:9236->636/tcp   ldap_ldapB_1
612e8b37b308   ldapha                       "/docker-entrypoint.…"   51 seconds ago   Up 49 seconds   80/tcp, 0.0.0.0:1390->1389/tcp                 nginx-node-1
48b0bb2c3404   osixia/openldap:1.4.0        "/container/tool/run"    51 seconds ago   Up 50 seconds   0.0.0.0:9189->389/tcp, 0.0.0.0:9136->636/tcp   ldap_ldapA_1
e1a2114463ca   osixia/phpldapadmin:latest   "/container/tool/run"    51 seconds ago   Up 49 seconds   443/tcp, 0.0.0.0:8082->80/tcp                  ldap_phpldapadmin_1

![Screenshot1 ](https://user-images.githubusercontent.com/67826811/110075304-9b650a00-7da8-11eb-9df0-d1d659ff85d4.png)
vijaykumargumadi commented 3 years ago

screen shot: Screenshot1

koelle25 commented 3 years ago

Hi,

this happens because the TLS certificate used inside of the container is not trusted by your host OS (due to it being self-signed).

You'll have to copy the ca.crt out of the container and import it in your host OS trust store (Example for Ubuntu).

But you should consider to Use your own certificate as otherwise the certificate will always be newly generated when creating a new container.

koelle25 commented 3 years ago

Oh, another method would be to create an .ldaprc file in your home directory and set TLS_REQCERT never in there. This tells ldapsearch (and the other LDAP cli tools) to not verify the certificate provided by the LDAP server.

You also have to make sure to set the LDAP_TLS_VERIFY_CLIENT environment variable of the container to something other than the default demand (which will require the connecting client to also provide a client certificate). Possible values are never, allow, try, for a description what each of these do see here.