Error: Could not start TLS

[jiangzhaohui]

hello , i am using osixia/openldap and osixia/docker-phpLDAPadmin on my localhost(Ubuntu 16.04, Docker version 18.09.2), i config "127.0.0.1 ldap.my.com" in my /etc/hosts, startup openldap by command

docker run --hostname ldap.my.com -p 636:636 -p 389:389 \
--name my-openldap-container \
--env LDAP_TLS_VERIFY_CLIENT=never \
--env LDAP_TLS_CIPHER_SUITE=SECURE256:+SECURE128:+VERS-TLS-ALL:+VERS-TLS1.2:+RSA:+DHE-DSS:+CAMELLIA-128-CBC:+CAMELLIA-256-CBC \
--detach osixia/openldap:1.3.0

startup phpLDAPadmin by command

docker run --hostname ldap.my.com -p 443:443 \
--env PHPLDAPADMIN_LDAP_CLIENT_TLS_REQCERT=never \
--env PHPLDAPADMIN_LDAP_HOSTS="#PYTHON2BASH:[{'ldap.my.com': [{'server': [{'tls': True},{'port': 389}]}]}]" \
--detach osixia/phpldapadmin:0.9.0 --loglevel trace

openldap can be accessed normally by "apache directory studio" and "ldap admin" openldap can also be accessed by phpLDAPadmin installed by "apt install phpldapadmin" on my physical machine

but when i login "https://ldap.my.com/" by phpLDAPadmin in docker there're errors :

Could not start TLS. (ldap.my.com) Error: Could not start TLS. Please check your LDAP server configuration. Unable to connect to LDAP server ldap.my.com Error: Can't contact LDAP server (-1) for user Failed to Authenticate to server Invalid Username or Password.

there's no log output by openldap

and phpLDAPadmin log seems all right

172.17.0.1 - - [12/Oct/2019:03:31:30 +0000] "POST /cmd.php HTTP/2.0" 302 262 "https://ldap.my.com/cmd.php?cmd=login_form&server_id=1&redirect=true" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"
172.17.0.1 - - [12/Oct/2019:03:31:30 +0000] "GET /cmd.php?cmd=login_form&server_id=1&redirect=true HTTP/2.0" 200 1904 "https://ldap.my.com/cmd.php?cmd=login_form&server_id=1&redirect=true" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"
172.17.0.1 - - [12/Oct/2019:03:31:30 +0000] "GET /css/default/style.css HTTP/2.0" 200 2839 "https://ldap.my.com/cmd.php?cmd=login_form&server_id=1&redirect=true" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"
172.17.0.1 - - [12/Oct/2019:03:31:30 +0000] "GET /js/jscalendar/calendar-blue.css HTTP/2.0" 200 1466 "https://ldap.my.com/cmd.php?cmd=login_form&server_id=1&redirect=true" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36

phpLDAPadmin startup logs have some ssl error, i dont know whether it matters

Oct 12 03:48:28 ldap syslog-ng[1014]: syslog-ng starting up; version='3.19.1'
[Sat Oct 12 03:48:28.146449 2019] [ssl:error] [pid 1029:tid 139834063312000] AH02218: ssl_stapling_init_cert: no OCSP URI in certificate and no SSLStaplingForceURL set [subject: CN=ldap.my.com,OU=Information Technology Dep.,O=A1A Car Wash,L=Albuquerque,ST=New Mexico,C=US / issuer: CN=docker-light-baseimage,ST=New Mexico,L=Albuquerque,OU=Information Technology Dep.,O=A1A Car Wash,C=US / serial: 0FC41161B48C684ACE8AD3C8C274F5A348019ADE / notbefore: Oct 12 03:43:00 2019 GMT / notafter: Oct 11 03:43:00 2020 GMT]
[Sat Oct 12 03:48:28.146489 2019] [ssl:error] [pid 1029:tid 139834063312000] AH02604: Unable to configure certificate ldap.my.com:443:0 for stapling
[Sat Oct 12 03:48:28.158940 2019] [ssl:error] [pid 1029:tid 139834063312000] AH02218: ssl_stapling_init_cert: no OCSP URI in certificate and no SSLStaplingForceURL set [subject: CN=ldap.my.com,OU=Information Technology Dep.,O=A1A Car Wash,L=Albuquerque,ST=New Mexico,C=US / issuer: CN=docker-light-baseimage,ST=New Mexico,L=Albuquerque,OU=Information Technology Dep.,O=A1A Car Wash,C=US / serial: 0FC41161B48C684ACE8AD3C8C274F5A348019ADE / notbefore: Oct 12 03:43:00 2019 GMT / notafter: Oct 11 03:43:00 2020 GMT]
[Sat Oct 12 03:48:28.158956 2019] [ssl:error] [pid 1029:tid 139834063312000] AH02604: Unable to configure certificate ldap.my.com:443:0 for stapling
[Sat Oct 12 03:48:28.160797 2019] [mpm_event:notice] [pid 1029:tid 139834063312000] AH00489: Apache/2.4.38 (Debian) OpenSSL/1.1.1c configured -- resuming normal operations
[Sat Oct 12 03:48:28.160824 2019] [core:notice] [pid 1029:tid 139834063312000] AH00094: Command line: '/usr/sbin/apache2 -D FOREGROUND'

So in short, my question is ： I can normally access openldap by "apache directory studio" , "ldap admin", and phpLDAPadmin installed on my physical machine，

but i cannot login openldap by phpLDAPadmin in docker, there are some starttls error, how can i fix this?

many thanks

[phucvinh52]

i have same problem

[archont00]

Similar here. LDAP server says:

5dda7054 conn=1000 fd=12 ACCEPT from IP=172.17.22.3:37090 (IP=0.0.0.0:389)
5dda7054 conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037
5dda7054 conn=1000 op=0 STARTTLS
5dda7054 conn=1000 op=0 RESULT oid= err=0 text=
5dda7054 conn=1000 fd=12 TLS established tls_ssf=256 ssf=256
5dda7054 conn=1000 fd=12 closed (connection lost)

If your err is the same, you have two options:

• Disable the server certificate checks by phpldapadmin.
• Add the server's CA certificate to phpldapadmin.

See here for more info: http://phpldapadmin.sourceforge.net/wiki/index.php/Server:server:tls

Disable Certificate Checks

Simply add PHPLDAPADMIN_LDAP_CLIENT_TLS_REQCERT: "allow" (or never) to your environment of phpldapadmin container. TLS connection will be established even if from some reason the server certificate is invalid (e.g. CA is not trusted).

Add server's CA cert

Define a read-only volume in phpldapadmin container and set the CA Cert name via environment:

environment:
  ... other variables here ...
  PHPLDAPADMIN_LDAP_CLIENT_TLS_CA_CRT_FILENAME: "live/ldap.example.org/fullchain.pem"`
volumes:
  - /etc/letsencrypt:/container/service/ldap-client/assets/certs:ro

This one is set up to link Let's encrypt certificate of ldap.example.org, which is used by ldap container (yours is different, obviously).

EDIT: Sorry guys, I just noticed PHPLDAPADMIN_LDAP_CLIENT_TLS_REQCERT=never is used in the OP...

[Angelin01]

Edit: I have solved my issues, they were related to permissions, explanation at the bottom.

---

I can confirm I am having the same issue. All other services can access LDAP just fine, ldapsearch works, LTB Self Service Password works, etc.

For PHPLDAPAdmin however, I noticed that PHPLDAPADMIN_LDAP_CLIENT_TLS_REQCERT appears to be cached (at least using compose), which is why I wasn't having problems before. If you set it once it appears it doesn't update it later unless you delete the generated volumes, which lead me to believe it was working after I commented it out from my compose file. On a clean volume (after using prune), things stopped working and I had no idea why. It's likely that this is why on the OP PHPLDAPADMIN_LDAP_CLIENT_TLS_REQCERT=never is not working, it was set to demand at one point and never updated after.

As others have before, LDAP logs show nothing weird:

conn=1041 fd=12 ACCEPT from IP=172.17.21.4:39242 (IP=0.0.0.0:389)
conn=1041 op=0 EXT oid=1.3.6.1.4.1.1466.20037
conn=1041 op=0 STARTTLS
conn=1041 op=0 RESULT oid= err=0 text=
conn=1041 fd=12 TLS established tls_ssf=256 ssf=256
conn=1041 fd=12 closed (connection lost)

While docker exec -it phpldapadmin cat /var/www/phpldapadmin/config/config.php gives, at the end:

/*
 * Autogenerated servers variables will come here
 */
$servers->newServer('ldap_pla');
$servers->setValue('server','host','openldap');
$servers->setValue('server','name','openldap');
$servers->setValue('server','host','ldap.REDACTED.com');
$servers->setValue('server','tls',true);
$servers->setValue('server','port','389');
$servers->setValue('login','bind_id','cn=admin,dc=REDACTED,dc=com');

Any update on this would be appreciated.

---

Edit: So it seems the problem was permissions. Both this and the openldap docker service try to mess with file permissions for the certificates. They end up making it so the one of the services can't read the certs at all if you mount both cotainer's certificate directories to the same place on your host (as one would, to centralize the certs), as they change the owner and read permissions. I ended up fixing it by simply starting both this and the openldap container with command: ['--copy-service'] and then mounting the certs directory as read only.