search

wheelybird / ldap-user-manager

A PHP web-based interface for LDAP user account management and self-service password change.
MIT License
499 stars 111 forks source link

Problems with LUM, OpenLDAP, Docker and Traefik #192

Open joshoram80 opened 1 year ago

joshoram80 commented 1 year ago

Running LUM from latest Docker image, behind Traefik.

ldap-user-manager:
    image: wheelybird/ldap-user-manager:latest
    container_name: ldap-user-manager
    networks:
      - t2_proxy
    ports:
      - 8785:80
    restart: always
    volumes:
      - $DOCKERDIR/appdata/lum/opt/ssl:/opt/ssl
    environment:
      - SERVER_HOSTNAME="https://lum.my.domain" # url for webui
      - LDAP_URI="ldap://openldap"
      - LDAP_BASE_DN="dc=my,dc=domain" # edit domain tld same as above 
      - LDAP_REQUIRE_STARTTLS="FALSE"
      - LDAP_ADMINS_GROUP="admins" # admin group
      - LDAP_ADMIN_BIND_DN="cn=admin,dc=my,dc=domain" # edit domain tld
      - LDAP_ADMIN_BIND_PWD="XXXXXXXX" # admin password set above 
      - LDAP_DEBUG="true"
      - LDAP_USES_NIS_SCHEMA="false"
      - LDAP_IGNORE_CERT_ERRORS="true"
      - LDAP_REQUIRE_STARTTLS="false"
      - NO_HTTPS="true"

My error logs are showing

Generating CA key
Generating RSA private key, 2048 bit long modulus (2 primes)
..................+++++
........+++++
e is 65537 (0x010001)
Generating CA certificate
Generating openssl configuration
Generating server key...
Generating RSA private key, 2048 bit long modulus (2 primes)
.......................................................................+++++
........+++++
e is 65537 (0x010001)
Generating server signing request...
req: Hit end of string before finding the equals.
problems making Certificate Request
AH00526: Syntax error on line 23 of /etc/apache2/sites-enabled/lum.conf:
SSLCertificateFile: file '/opt/ssl/server.crt' does not exist or is empty
AH00526: Syntax error on line 23 of /etc/apache2/sites-enabled/lum.conf:
SSLCertificateFile: file '/opt/ssl/server.crt' does not exist or is empty

I'm not sure why LUM is trying to generate certificates to begin with as NO_HTTPS=true should prevent it? I already has Traefik setup to get certificates from LetEncrypt which it does, and the entire domain is behind Cloudflare. Could this be the issue?

As far as I can tell, my OpenLDAP container is running correctly

wheelybird commented 1 year ago

Hi. NO_HTTPS=true will definitely prevent the certs from being generated and/or being used. There's a simple if clause in the entrypoint script that manages this: https://github.com/wheelybird/ldap-user-manager/blob/40ec4a151c8451f5d56f007d817206862d0f4279/entrypoint#L35 I can't recreate your issue, so I imagine that for some reason NO_HTTPS isn't being passed into the container. Perhaps try removing the quotes around true in the environment: section? Or alternatively try passing in the env values as a dictionary (https://docs.docker.com/compose/compose-file/compose-file-v3/#environment), e.g.:

 environment:
      - SERVER_HOSTNAME: 'https://lum.my.domain'
      - LDAP_URI: 'ldap://openldap'
      - NO_HTTPS: 'true'

What's stranger is that the cert generation is failing. Perhaps there are files already in the $DOCKERDIR/appdata/lum/opt/ssl causing issues? If you're not planning to use SSL within the container then you might as well remove the volume mount.

Hope that helps.

jpralves commented 2 months ago

The main problem is the way docker compose handles the format:

    environment:
      - NO_HTTPS="true"

Which will set the variable to literally "true" and not true (without the quotes)

The correct way to set this variable is:

    environment:
      - NO_HTTPS=true