search

tobybatch / kimai2

Docker containers for the kimai2 web application including docker-compose and kubernetes/helm deployment.
MIT License
183 stars 97 forks source link

Document Secure LDAP configuration #46

Closed timlegge closed 4 years ago

timlegge commented 4 years ago

Just some notes on how to configure working secure LDAP (636 SSL or 389 STARTTLS)

  1. Create ldap directory
  2. In docker-compose.yaml mount local.yaml and ldap directory under kimai volumes:
    • ./local.yaml:/opt/kimai/config/packages/local.yaml:z
    • ./ldap:/etc/ldap:z
  3. Copy /etc/ldap/ldap.conf to local ldap directory
  4. Create certs directory in local ldap directory
  5. Copy Root Certificate for LDAP Server Certificate to local ldap/certs/ directory as ROOT-CA.pem
  6. Add the following to the bottom of local ldap/ldap.conf TLS_CACERT /etc/ldap/certs/ROOT-CA.pem
  7. specify useSsl: true or useStartTls: true in local.yaml file

Start Kimai with docker-compose up

Issues to look for:

  1. In local.yaml the host: can be the domain name (example.com)
  2. If that results in intermittent failures examine the SSL certificate of the server. One or more of the servers may be providing a certificate without the domain (example.com) in the Subject Alternative Name (Windows randomly selects the certificate if there are multiple)
kevinpapst commented 4 years ago

What about opening up a "tips & tricks" section in the LDAP config page?

Would you be willing to sent in a PR for this file?

timlegge commented 4 years ago

I can probably do that. just wasn't sure about which page

On Fri., Dec. 6, 2019, 2:32 p.m. Kevin Papst, notifications@github.com wrote:

What about opening up a "tips & tricks" section in the LDAP config page?

Would you be willing to sent in a PR for this file https://github.com/kimai/www.kimai.org/blob/master/_documentation/ldap.md ?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/tobybatch/kimai2/issues/46?email_source=notifications&email_token=AAH3N62TYZCT64TIDEPGEDLQXKLE5A5CNFSM4JWHABW2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEGE62VA#issuecomment-562687316, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAH3N6YFMBUYMPAIY3LTUOLQXKLE5ANCNFSM4JWHABWQ .

tobybatch commented 4 years ago

This belongs in the core docs: https://github.com/kimai/www.kimai.org/blob/master/_documentation/ldap.md