osixia
TLS/SSL (ldaps) is broken
Hi,
My undertanding is that the generated configuration for TLS/SSL is broken. The ldap-client startup.sh script generates ~www-data/.ldaprc referencing a dummy key/cert pair preventing the connection via ldaps://.
Manually removing ~www-data/.ldaprc fixes the problem.
BTW, any reason for not writing this piece of configuration into /etc/ldap/ldap.conf? It took me hours to figure out there was a .ldaprc in the way.
Docker compose file :
phpldapadmin:
image: osixia/phpldapadmin:stable
container_name: phpldapadmin
environment:
# http://phpldapadmin.sourceforge.net/wiki/index.php/Server:server:host
PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{'ldaps://ldap.pini.fr:636': [{'server': [{'port': 0},{'base': \"array('cn=config','dc=pini,dc=fr')\"}]}]}]"
PHPLDAPADMIN_LDAP_CLIENT_TLS_CA_CRT_FILENAME: "chain.pem"
PHPLDAPADMIN_HTTPS: "false" # behind a reverse proxy
volumes:
- certs:/container/service/ldap-client/assets/certs
expose:
- "80"
Thanks.
BTW, any reason for not writing this piece of configuration into /etc/ldap/ldap.conf? It took me hours to figure out there was a
.ldaprcin the way.
Forget about this part. The reason is that TLS_KEY and TLS_CERT are user-only options. As such they are ignored when in ldap.conf.
Please try to set PHPLDAPADMIN_LDAP_CLIENT_TLS to true.
In /container/service/ldap-client there is a startup.sh script that has a line testing this value to generate a proper ldap.conf.
See here: startup.sh
My problem was that my CA certificate set by PHPLDAPADMIN_LDAP_CLIENT_TLS_CA_CRT_FILENAME was simply ignored...
Could that be your problem too ?
Please try to set PHPLDAPADMIN_LDAP_CLIENT_TLS to true.
Thanks for following up on this issue.
I don't remember how I came up to it, but my workaround is the contrary actually. Here is what I have in my docker compose file:
# Workaround for https://github.com/osixia/docker-phpLDAPadmin/issues/74
PHPLDAPADMIN_LDAP_CLIENT_TLS: "false"