Docker – Can’t contact LDAP server (with ldaps) in Docker

dockerldap

I'm trying to do a ldapsearch like this :

ldapsearch -x -D "uid=username,ou=people,dc=example" -w passw0rd -H ldaps://example.com "(objectClass=example)"

But it's giving me this error :

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

And with a debug, it's :

ldap_url_parse_ext(ldaps://example.com)
ldap_create
ldap_url_parse_ext(ldaps://example.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP example.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying X.X.X.X:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I thought it was a problem with the SSL connection. But no, because this command succeed :

openssl s_client -connect example.com:636

So I don't know where the problem is…

For more informations, I'm in a container (Docker) with an Ubuntu image and my configuration for LDAP is :

BASE    dc=example
URI ldaps://example.com

TLS_REQCERT demand 
TLS_CACERT /etc/ldap/certificates/CA-cert.pem

Best Answer

you could set in /etc/ldap.conf

TLS_REQCERT allow

which, as you will suspect, will not die on unknown certificate authorities. Take a look at man ldap.conf

   TLS_REQCERT <level>
          Specifies what checks to perform on server certificates in a TLS
          session, if any. The <level> can be specified as one of the fol‐
          lowing keywords:

          never  The  client will not request or check any server certifi‐
                 cate.

          allow  The server certificate is requested. If no certificate is
                 provided,  the  session  proceeds normally. If a bad cer‐
                 tificate is provided, it will be ignored and the  session
                 proceeds normally.

          try    The server certificate is requested. If no certificate is
                 provided, the session proceeds normally. If  a  bad  cer‐
                 tificate  is  provided, the session is immediately termi‐
                 nated.

          demand | hard
                 These keywords are equivalent. The server certificate  is
                 requested.  If  no certificate is provided, or a bad cer‐
                 tificate is provided, the session is  immediately  termi‐
                 nated. This is the default setting.

Once you have verified that ldapsearch is working, then the right thing to do would be to get a copy of the CA root certificate and import in in your ubuntu system store.

Apparently this is done like shown in : this super user question

Or you could just ignore it and get on with what you were doing without verifying the certificate, but you should try to verify it if at all possible.

Related Topic