Can't contact LDAP server (with ldaps) in Docker

Question

I'm trying to do a ldapsearch like this :

ldapsearch -x -D "uid=username,ou=people,dc=example" -w passw0rd -H ldaps://example.com "(objectClass=example)"

But it's giving me this error :

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

And with a debug, it's :

ldap_url_parse_ext(ldaps://example.com)
ldap_create
ldap_url_parse_ext(ldaps://example.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP example.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying X.X.X.X:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I thought it was a problem with the SSL connection. But no, because this command succeed :

openssl s_client -connect example.com:636

So I don't know where the problem is...

For more informations, I'm in a container (Docker) with an Ubuntu image and my configuration for LDAP is :

BASE    dc=example
URI ldaps://example.com

TLS_REQCERT demand 
TLS_CACERT /etc/ldap/certificates/CA-cert.pem

What are you see in your 'openssl s_client -connect example.com:636' command ? — Dom, Sep 16 '14 at 07:27
I got this return code : `Verify return code: 19 (self signed certificate in certificate chain)` . Finally, it's maybe here the problem ? — Frédéric Guégan, Sep 16 '14 at 07:31
I would try importing the signing certificate into the openssl ca database. — symcbean, Aug 26 '16 at 20:23

score 4 · Answer 1 · edited Mar 20 '17 at 10:16

you could set in /etc/ldap.conf

TLS_REQCERT allow

which, as you will suspect, will not die on unknown certificate authorities. Take a look at man ldap.conf

   TLS_REQCERT <level>
          Specifies what checks to perform on server certificates in a TLS
          session, if any. The <level> can be specified as one of the fol‐
          lowing keywords:

          never  The  client will not request or check any server certifi‐
                 cate.

          allow  The server certificate is requested. If no certificate is
                 provided,  the  session  proceeds normally. If a bad cer‐
                 tificate is provided, it will be ignored and the  session
                 proceeds normally.

          try    The server certificate is requested. If no certificate is
                 provided, the session proceeds normally. If  a  bad  cer‐
                 tificate  is  provided, the session is immediately termi‐
                 nated.

          demand | hard
                 These keywords are equivalent. The server certificate  is
                 requested.  If  no certificate is provided, or a bad cer‐
                 tificate is provided, the session is  immediately  termi‐
                 nated. This is the default setting.

Once you have verified that ldapsearch is working, then the right thing to do would be to get a copy of the CA root certificate and import in in your ubuntu system store.

Apparently this is done like shown in : this super user question

Or you could just ignore it and get on with what you were doing without verifying the certificate, but you should try to verify it if at all possible.

score 1 · Answer 2 · answered Jun 15 '17 at 14:25

Ok, it took a lot of searching online, but I've finally gotten mine to work. Here's what I did.

Use the following command to get the certificate from the LDAP server:
openssl s_client -connect example.com:636
Copy everything between and including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
Save that to a file. Something like ca.pem
Edit your ldap.conf file, which could be in /etc/ldap or /etc/openldap directory, and add the below lines. The TLS_CACERT line should point to where you saved the file in the previous step.

TLS_CACERT /etc/ssl/certs/ca.pem
TLS_REQCERT never

4a. I added TLS_REQCERT for internal reasons. Use that setting at your own requirement/risk.

Run your ldapsearch command. I use ldapsearch -x -Z -d1 -H ldaps://example.com:636 -D " your bind dn" -w "your bind password" -b" your base dn" "(cn= your cn )"

Hope this helps.

score 0 · Answer 3 · answered Sep 16 '14 at 10:00

You will have noticed that the debugging output did nothing to show the SSL/TLS parts of the communication. IIRC, in order to get ldapsearch to output such, you need to use options -v2 -d (possibly with a higher debug level).

Note that just because openssl works, doesn't mean that ldapsearch (openldap libraries) will look in the same place for certificate information. Also notice that openssl s_client doesn't validate the certificate by default.

You can try setting TLS_REQCERT to never as a debugging aid.

I would also suggest using strace -e trace=file -f ldapsearch ... as an aid to discover which files are actually being looked for (and whether or not permissions are getting in the way etc.)

Linux systems tend to have multiple ldap configuration files (pam_ldap, nss_ldap, openldap commands, ...). Which file did you use?

One of the questions I generally ask people who come to me asking similar questions at work, is which language stack is the client written in (or rather, which LDAP client API is being used -- eg. OpenLDAP with OpenSSL, or Java 1.7 without the High Security add-ons, so I can figure out what issues to consider above others). For this reason, don't expect things like a Java API to work once you've got a working invocation of ldapsearch.

score 0 · Answer 4 · edited Apr 13 '17 at 12:14

0

If the LDAP provider is Active Directory running on Windows Server 2012, see Can't contact LDAP server (-1) for LDAPS and Server 2012

edited Apr 13 '17 at 12:14

Community

1

answered Mar 31 '17 at 21:11

claytond

381
1
3
6

Can't contact LDAP server (with ldaps) in Docker

4 Answers4

Linked