search

osixia / docker-phpLDAPadmin

phpLDAPadmin container image 🐳🌴
MIT License
842 stars 196 forks source link

TLS/SSL (ldaps) is broken #74

Open pini-gh opened 4 years ago

pini-gh commented 4 years ago

Hi, My undertanding is that the generated configuration for TLS/SSL is broken. The ldap-client startup.sh script generates ~www-data/.ldaprc referencing a dummy key/cert pair preventing the connection via ldaps://.

Manually removing ~www-data/.ldaprc fixes the problem.

BTW, any reason for not writing this piece of configuration into /etc/ldap/ldap.conf? It took me hours to figure out there was a .ldaprc in the way.

Docker compose file :

  phpldapadmin:
    image: osixia/phpldapadmin:stable
    container_name: phpldapadmin
    environment:
      # http://phpldapadmin.sourceforge.net/wiki/index.php/Server:server:host
      PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{'ldaps://ldap.pini.fr:636': [{'server': [{'port': 0},{'base': \"array('cn=config','dc=pini,dc=fr')\"}]}]}]"
      PHPLDAPADMIN_LDAP_CLIENT_TLS_CA_CRT_FILENAME: "chain.pem"
      PHPLDAPADMIN_HTTPS: "false" # behind a reverse proxy
    volumes:
      - certs:/container/service/ldap-client/assets/certs
    expose:
      - "80"

Thanks.

pini-gh commented 4 years ago

BTW, any reason for not writing this piece of configuration into /etc/ldap/ldap.conf? It took me hours to figure out there was a .ldaprc in the way.

Forget about this part. The reason is that TLS_KEY and TLS_CERT are user-only options. As such they are ignored when in ldap.conf.

fredleb commented 3 years ago

Please try to set PHPLDAPADMIN_LDAP_CLIENT_TLS to true.

In /container/service/ldap-client there is a startup.sh script that has a line testing this value to generate a proper ldap.conf.

See here: startup.sh

My problem was that my CA certificate set by PHPLDAPADMIN_LDAP_CLIENT_TLS_CA_CRT_FILENAME was simply ignored...

Could that be your problem too ?

pini-gh commented 3 years ago

Please try to set PHPLDAPADMIN_LDAP_CLIENT_TLS to true.

Thanks for following up on this issue.

I don't remember how I came up to it, but my workaround is the contrary actually. Here is what I have in my docker compose file:

      # Workaround for https://github.com/osixia/docker-phpLDAPadmin/issues/74
      PHPLDAPADMIN_LDAP_CLIENT_TLS: "false"