Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS/SSL (ldaps) is broken #74

Open
pini-gh opened this issue May 4, 2020 · 3 comments · May be fixed by #106
Open

TLS/SSL (ldaps) is broken #74

pini-gh opened this issue May 4, 2020 · 3 comments · May be fixed by #106

Comments

@pini-gh
Copy link

pini-gh commented May 4, 2020

Hi,
My undertanding is that the generated configuration for TLS/SSL is broken. The ldap-client startup.sh script generates ~www-data/.ldaprc referencing a dummy key/cert pair preventing the connection via ldaps://.

Manually removing ~www-data/.ldaprc fixes the problem.

BTW, any reason for not writing this piece of configuration into /etc/ldap/ldap.conf? It took me hours to figure out there was a .ldaprc in the way.

Docker compose file :

  phpldapadmin:
    image: osixia/phpldapadmin:stable
    container_name: phpldapadmin
    environment:
      # http://phpldapadmin.sourceforge.net/wiki/index.php/Server:server:host
      PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{'ldaps://ldap.pini.fr:636': [{'server': [{'port': 0},{'base': \"array('cn=config','dc=pini,dc=fr')\"}]}]}]"
      PHPLDAPADMIN_LDAP_CLIENT_TLS_CA_CRT_FILENAME: "chain.pem"
      PHPLDAPADMIN_HTTPS: "false" # behind a reverse proxy
    volumes:
      - certs:/container/service/ldap-client/assets/certs
    expose:
      - "80"

Thanks.

@pini-gh
Copy link
Author

pini-gh commented May 4, 2020

BTW, any reason for not writing this piece of configuration into /etc/ldap/ldap.conf? It took me hours to figure out there was a .ldaprc in the way.

Forget about this part. The reason is that TLS_KEY and TLS_CERT are user-only options. As such they are ignored when in ldap.conf.

@fredleb
Copy link

fredleb commented Jun 18, 2021

Please try to set PHPLDAPADMIN_LDAP_CLIENT_TLS to true.

In /container/service/ldap-client there is a startup.sh script that has a line testing this value to generate a proper ldap.conf.

See here: startup.sh

My problem was that my CA certificate set by PHPLDAPADMIN_LDAP_CLIENT_TLS_CA_CRT_FILENAME was simply ignored...

Could that be your problem too ?

@pini-gh
Copy link
Author

pini-gh commented Jun 18, 2021

Please try to set PHPLDAPADMIN_LDAP_CLIENT_TLS to true.

Thanks for following up on this issue.

I don't remember how I came up to it, but my workaround is the contrary actually. Here is what I have in my docker compose file:

      # Workaround for https://github.com/osixia/docker-phpLDAPadmin/issues/74
      PHPLDAPADMIN_LDAP_CLIENT_TLS: "false"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants