Open jiangzhaohui opened 4 years ago
i have same problem
Similar here. LDAP server says:
5dda7054 conn=1000 fd=12 ACCEPT from IP=172.17.22.3:37090 (IP=0.0.0.0:389)
5dda7054 conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037
5dda7054 conn=1000 op=0 STARTTLS
5dda7054 conn=1000 op=0 RESULT oid= err=0 text=
5dda7054 conn=1000 fd=12 TLS established tls_ssf=256 ssf=256
5dda7054 conn=1000 fd=12 closed (connection lost)
If your err is the same, you have two options:
See here for more info: http://phpldapadmin.sourceforge.net/wiki/index.php/Server:server:tls
Simply add PHPLDAPADMIN_LDAP_CLIENT_TLS_REQCERT: "allow"
(or never
) to your environment of phpldapadmin container. TLS connection will be established even if from some reason the server certificate is invalid (e.g. CA is not trusted).
Define a read-only volume
in phpldapadmin container and set the CA Cert name via environment:
environment:
... other variables here ...
PHPLDAPADMIN_LDAP_CLIENT_TLS_CA_CRT_FILENAME: "live/ldap.example.org/fullchain.pem"`
volumes:
- /etc/letsencrypt:/container/service/ldap-client/assets/certs:ro
This one is set up to link Let's encrypt certificate of ldap.example.org, which is used by ldap
container (yours is different, obviously).
EDIT: Sorry guys, I just noticed PHPLDAPADMIN_LDAP_CLIENT_TLS_REQCERT=never
is used in the OP...
Edit: I have solved my issues, they were related to permissions, explanation at the bottom.
I can confirm I am having the same issue.
All other services can access LDAP just fine, ldapsearch
works, LTB Self Service Password works, etc.
For PHPLDAPAdmin however, I noticed that PHPLDAPADMIN_LDAP_CLIENT_TLS_REQCERT
appears to be cached (at least using compose), which is why I wasn't having problems before. If you set it once it appears it doesn't update it later unless you delete the generated volumes, which lead me to believe it was working after I commented it out from my compose file. On a clean volume (after using prune), things stopped working and I had no idea why. It's likely that this is why on the OP PHPLDAPADMIN_LDAP_CLIENT_TLS_REQCERT=never
is not working, it was set to demand at one point and never updated after.
As others have before, LDAP logs show nothing weird:
conn=1041 fd=12 ACCEPT from IP=172.17.21.4:39242 (IP=0.0.0.0:389)
conn=1041 op=0 EXT oid=1.3.6.1.4.1.1466.20037
conn=1041 op=0 STARTTLS
conn=1041 op=0 RESULT oid= err=0 text=
conn=1041 fd=12 TLS established tls_ssf=256 ssf=256
conn=1041 fd=12 closed (connection lost)
While docker exec -it phpldapadmin cat /var/www/phpldapadmin/config/config.php
gives, at the end:
/*
* Autogenerated servers variables will come here
*/
$servers->newServer('ldap_pla');
$servers->setValue('server','host','openldap');
$servers->setValue('server','name','openldap');
$servers->setValue('server','host','ldap.REDACTED.com');
$servers->setValue('server','tls',true);
$servers->setValue('server','port','389');
$servers->setValue('login','bind_id','cn=admin,dc=REDACTED,dc=com');
Any update on this would be appreciated.
Edit: So it seems the problem was permissions. Both this and the openldap docker service try to mess with file permissions for the certificates. They end up making it so the one of the services can't read the certs at all if you mount both cotainer's certificate directories to the same place on your host (as one would, to centralize the certs), as they change the owner and read permissions. I ended up fixing it by simply starting both this and the openldap container with command: ['--copy-service']
and then mounting the certs directory as read only.
hello , i am using osixia/openldap and osixia/docker-phpLDAPadmin on my localhost(Ubuntu 16.04, Docker version 18.09.2), i config "127.0.0.1 ldap.my.com" in my /etc/hosts, startup openldap by command
startup phpLDAPadmin by command
openldap can be accessed normally by "apache directory studio" and "ldap admin" openldap can also be accessed by phpLDAPadmin installed by "apt install phpldapadmin" on my physical machine
but when i login "https://ldap.my.com/" by phpLDAPadmin in docker there're errors :
Could not start TLS. (ldap.my.com) Error: Could not start TLS. Please check your LDAP server configuration. Unable to connect to LDAP server ldap.my.com Error: Can't contact LDAP server (-1) for user Failed to Authenticate to server Invalid Username or Password.
there's no log output by openldap
and phpLDAPadmin log seems all right
phpLDAPadmin startup logs have some ssl error, i dont know whether it matters
So in short, my question is : I can normally access openldap by "apache directory studio" , "ldap admin", and phpLDAPadmin installed on my physical machine,
but i cannot login openldap by phpLDAPadmin in docker, there are some starttls error, how can i fix this?
many thanks