Can't contact LDAP server (with ldaps) in Docker

docker ldap

I'm trying to do a ldapsearch like this :

ldapsearch -x -D "uid=username,ou=people,dc=example" -w passw0rd -H ldaps://example.com "(objectClass=example)"

But it's giving me this error :

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

And with a debug, it's :

ldap_url_parse_ext(ldaps://example.com)
ldap_create
ldap_url_parse_ext(ldaps://example.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP example.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying X.X.X.X:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I thought it was a problem with the SSL connection. But no, because this command succeed :

openssl s_client -connect example.com:636

So I don't know where the problem is...

For more informations, I'm in a container (Docker) with an Ubuntu image and my configuration for LDAP is :

BASE    dc=example
URI ldaps://example.com

TLS_REQCERT demand 
TLS_CACERT /etc/ldap/certificates/CA-cert.pem

Solution 1:

you could set in /etc/ldap.conf

TLS_REQCERT allow

which, as you will suspect, will not die on unknown certificate authorities. Take a look at man ldap.conf

   TLS_REQCERT <level>
          Specifies what checks to perform on server certificates in a TLS
          session, if any. The <level> can be specified as one of the fol‐
          lowing keywords:

          never  The  client will not request or check any server certifi‐
                 cate.

          allow  The server certificate is requested. If no certificate is
                 provided,  the  session  proceeds normally. If a bad cer‐
                 tificate is provided, it will be ignored and the  session
                 proceeds normally.

          try    The server certificate is requested. If no certificate is
                 provided, the session proceeds normally. If  a  bad  cer‐
                 tificate  is  provided, the session is immediately termi‐
                 nated.

          demand | hard
                 These keywords are equivalent. The server certificate  is
                 requested.  If  no certificate is provided, or a bad cer‐
                 tificate is provided, the session is  immediately  termi‐
                 nated. This is the default setting.

Once you have verified that ldapsearch is working, then the right thing to do would be to get a copy of the CA root certificate and import in in your ubuntu system store.

Apparently this is done like shown in : this super user question

Or you could just ignore it and get on with what you were doing without verifying the certificate, but you should try to verify it if at all possible.

Related

What state is a AWS snapshot at after completed
Unable to ping domain.local, but can ping server.domain.local
On Apache 2.4, how can I disable the php7 module?
Nginx Loses Port on Redirect
Send a notification to my iPhone when a website's content changes
Apple Watch Series 3 "Cannot Install Update" due to available storage
macOS Catalina installer freezes just after choosing disk
Tried to Airdrop a specific video (.mp4) got the error 'Failed to save item. Save to iCloud Drive instead' [duplicate]
How do I automatically reconnect my AirPods when my Mac wakes from sleep?
My Brother printer not working in macOS Big Sur(11.3.1)
How to find a site whose name I do not remember in Chrome history?
involving the Return key in a System Preferences keyboard shortcut