Reputation: 308
Connecting via TLS to OPENLDAP: Certificate not found
I have an OpenLDAP Docker instance from Osixia and am trying to query it securely from the client using TLS. The query works without encryption using $ ldapwhoami -H ldap://localhost -x and does not work when using the -ZZ flag to start TLS operation $ ldapwhoami -H ldap://localhost -x -ZZ - it returns ldap_start_tls: Can't contact LDAP server (-1). How can i make this work? Below are all the steps i took:
- Run LDAP server in docker:
$ docker run -p 389:389 -p 636:636 --name ldap-service --hostname ldap-service \
--env LDAP_ADMIN_PASSWORD="password" --env LDAP_BASE_DN="dc=example,dc=org" --detach osixia/openldap:1.4.0
- Test Connectivity - shows success, it returns
anonymous
$ ldapwhoami -H ldap://localhost -x
anonymous
- Preparations for TLS connectivity - Configure client to trust SERVER Certificate Authority (CA)
- SERVER DOCKER CONTAINER: TLS certs are autoconfigured upon runtime in the osixia/openldap image. Copy contents of CA in
/container/service/slapd/assets/certs/ca.crt - CLIENT: Paste the copied SERVER
ca.crtinto CLIENT folder/usr/local/share/ca-certificates/ca.crt, then runsudo update-ca-certificatesto add it. Confirm success of adding by checking that the CA is inside/etc/ssl/certs/ca-certificates.crt - CLIENT: In file
/etc/ldap/ldap.confI added the lineTLS_CACERT /etc/ssl/certs/ca-certificates.crt
- SERVER DOCKER CONTAINER: TLS certs are autoconfigured upon runtime in the osixia/openldap image. Copy contents of CA in
- Test TLS connectivity from CLIENT via
-ZZflag to start TLS operation:
$ ldapwhoami -H ldap://localhost -x -ZZ
ldap_start_tls: Can't contact LDAP server (-1)
additional info: The TLS connection was non-properly terminated.
Further logs from inside LDAP docker:
5ff42195 conn=1079 fd=12 ACCEPT from IP=172.17.0.1:39420 (IP=0.0.0.0:636)
TLS: can't accept: No certificate was found..
5ff42195 conn=1079 fd=12 closed (TLS negotiation failure)
- Test TLS connectivity from CLIENT via LDAP Secure URI scheme
ldaps://
$ ldapwhoami -H ldaps://localhost -x
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Things i tried out:
I read through https://www.openldap.org/doc/admin24/tls.html and subsequently installed the Server CA on the client.
I read through this post: ldapsearch over ssl/tls doesn't work, I changed the settings in
/etc/ldap/ldap.confto include the below items, but to no avail.
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT ALLOW
PORT 636
HOST localhost // i also tried 'ldap-service'
Upvotes: 2
Views: 7011
Answers (2)
Reputation: 5828
For Googlers,
Presto does not supply client certificates (client certificate verification, two-way verification) when connecting to LDAP service, so you will need --env LDAP_TLS_VERIFY_CLIENT=tryor never if you use osixia/openldap, or, edit ldap.conf and set TLS_REQCERT never and restart the LDAP service.
Upvotes: 1
Reputation: 308
I found the solution:
Add --env LDAP_TLS_VERIFY_CLIENT=try to the docker run command. Source
Upvotes: 3
Related Questions
- How to enable authentication via openLDAP on JupyterHub without SSL certificate?
- Connect to open LDAP over ssl
- OpenLDAP - TDS - Can't contact LDAP server (-1)
- Deploy OpenLdap using docker
- openldap : ldapsearch ldap_bind: Invalid credentils (46)
- OpenLDAP TLS failing with TLS init def ctx failed: -69
- OpenLDAP: TLS error -8179:Peer's Certificate issuer is not recognized
- Connecting Docker container to corporate LDAP server through SSL
- winldap can't connect to openldap with ssl
- OpenLdap with SSL connection Failed