search

tiredofit / docker-fusiondirectory

Dockerized web based LDAP manager
MIT License
48 stars 18 forks source link

Could not connect to LDAP server #9

Open XVicarious opened 5 years ago

XVicarious commented 5 years ago

So I've been playing with this image and its companion image for several months, on and off. I have yet to get it to work.

version: '3.7'

services:

  fusion:
    image: tiredofit/fusiondirectory
    environment:
      - ENABLE_ARGONAUT=FALSE
      - LDAP1_HOST=ldap.example.com
      - LDAP1_BASE_DN=dc=example,dc=com
      - LDAP1_ADMIN_DN=cn=admin,dc=example,dc=com
      - LDAP1_ADMIN_PASS=admin
      - LDAP1_NAME=example
      - LDAP1_TLS=TRUE
      - PHP_LOG_LEVEL=debug
    labels:
      traefik.enable: "true"
      traefik.docker.network: 'traefik_traefik'
      traefik.frontend.rule: "Host:fd.example.com"
    volumes:
      - /home/docker/ldap/logs:/www/logs
    networks:
      - traefik
      - default

  ldap:
    hostname: ldap.example.com
    domainname: ldap.example.com
    image: tiredofit/openldap-fusiondirectory
    ports:
      - 389:389
      - 636:636
    environment:
      - HOSTNAME=ldap.example.com
      - BACKEND=mdb
      - DOMAIN=example.com
      - ADMIN_PASS=admin
      - CONFIG_PASS=config
      - FUSIONDIRECTORY_ADMIN_USER=fd-admin
      - FUSIONDIRECTORY_ADMIN_PASS=admin
      - ORGANIZATION=Example
      - BASE_DN=dc=example,dc=com
      - ENABLE_READONLY_USER=false
      - ENABLE_TLS=true
      - TLS_CRT_FILENAME=cert.pem
      - TLS_KEY_FILENAME=key.pem
      - TLS_CA_CRT_FILENAME=ca.pem
      - TLS_ENFORCE=false
      - TLS_CIPHER_SUITE=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:-DHE-DSS:-RSA:!aNULL:!MD5:!DSS:!SHA
      - TLS_VERIFY_CLIENT=never
      - SSL_HELPER_PREFIX=ldap
      - ENABLE_REPLICATION=false
      - BACKUP_CONFIG_CRON_PERIOD=0 4 * * *
      - BACKUP_DATA_CRON_PERIOD=0 4 * * *
      - BACKUP_TTL=15
    labels:
      traefik.enable: 'true'
      traefik.port: 80
      traefik.frontend.rule: 'Host:ldap.example.com'
    volumes:
      - /home/docker/ldap/backup:/data/backup
      - /home/docker/ldap/data:/var/lib/openldap
      - /home/docker/ldap/config:/etc/openldap/slapd.d
      - /home/docker/certs:/assets/slapd/certs

networks:
  traefik:
    external: true
    name: traefik_traefik

This is my docker-compose file. I am running in swarm mode.

Enabling debug mode doesn't give me much information. Just a stacktrace that really doesn't give any more specifics. All that it shows is the trace to display the error. It does give the params it used ldaps://ldap.example.com:, dc=example,dc=com, cn=admin,dc=example,dc=com

When I enter the container with ... exec ... /bin/bash I can execute ldapsearch -h ldap.example.com -b dc=example,dc=me -D cn=admin,dc=example,dc=com -w admin -Z and it successfully connects and spits out results.

Even when I turn off TLS for FusionDirectory and connect via the default non-secure port I get the same issue. The container can find and connect to the openldap instance and container its hosted in fine, but it appears PHP can't.

Any insight on this? More information that you could use? It could just be a silly tiny mistake I made somewhere.

dcendents commented 5 years ago

@XVicarious I can tell you I have been using this container for months using standard ldap protocol on port 389.

I'm now trying to run everything using TLS and it is not as trivial as it seems. But I just got it working, so I want to let you know there is hope.

First thing I would say, declare every ENV variable, do not trust the documentation when it says it will default to XXX. I can see you are not declaring the LDAP port (LDAP1_PORT), I would set it (either 389 or 636), otherwise it does not seem to work.

Then it seems there are two ways to connect to openldap using TLS. The old way with ldaps and the newer way using StartTLS, which I understand starts with a simple connection on port 389 and then the connection is upgraded to TLS (see env var TLS_VERIFY_CLIENT, try will try to use TLS but otherwise will still accept non TLS connections).

When you do ldapsearch -Z, I think this will use StartTLS.

The fusiondirectory container seems to use ldaps. To test is correctly, you need to use the -H parameter with ldapsearch, so your command should be: ldapsearch -H ldaps://ldap.example.com:636 -b dc=example,dc=me -D cn=admin,dc=example,dc=com -w admin

When you get that working, there is one last thing to do, and it is a bug in the container itself. The configuration that is created when the container is started is missing the port.

Edit the file /etc/fusiondirectory/fusiondirectory.conf and add the port number in it: <referral URI='ldaps://ldap.example.com:636/dc=example,dc=me.

I hope this helps!

P.S.: I run everything locally on a server using docker-compose, I'm not using docker swarm.

XVicarious commented 5 years ago

Thank you so much! I got it working!

Sent from ProtonMail mobile

-------- Original Message -------- On Jun 17, 2019, 3:48 PM, Daniel Beland wrote:

@XVicarious I can tell you I have been using this container for months using standard ldap protocol on port 389.

I'm now trying to run everything using TLS and it is not as trivial as it seems. But I just got it working, so I want to let you know there is hope.

First thing I would say, declare every ENV variable, do not trust the documentation when it says it will default to XXX. I can see you are not declaring the LDAP port (LDAP1_PORT), I would set it (either 389 or 636), otherwise it does not seem to work.

Then it seems there are two ways to connect to openldap using TLS. The old way with ldaps and the newer way using StartTLS, which I understand starts with a simple connection on port 389 and then the connection is upgraded to TLS (see env var TLS_VERIFY_CLIENT, try will try to use TLS but otherwise will still accept non TLS connections).

When you do ldapsearch -Z, I think this will use StartTLS.

The fusiondirectory container seems to use ldaps. To test is correctly, you need to use the -H parameter with ldapsearch, so your command should be: ldapsearch -H ldaps://ldap.example.com:636 -b dc=example,dc=me -D cn=admin,dc=example,dc=com -w admin

When you get that working, there is one last thing to do, and it is a bug in the container itself. The configuration that is created when the container is started is missing the port.

Edit the file /etc/fusiondirectory/fusiondirectory.conf and add the port number in it: <referral URI='ldaps://ldap.example.com:636/dc=example,dc=me.

I hope this helps!

P.S.: I run everything locally on a server using docker-compose, I'm not using docker swarm.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

apocer commented 4 years ago

A Better solution is to set the envionment variable LDAP_SCHEME="ldaps"