Problem
When I run ldapsearch I get a connected status followed by an error Can't contact LDAP server (-1)
ldapsearch -x -H ldap://localhost:636 -d 1 -ZZ
Can't contact LDAP server (-1)
ldap_url_parse_ext(ldap://localhost:636)
ldap_create
ldap_url_parse_ext(ldap://localhost:636/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x55a5634972a0 msgid 1
wait4msg ld 0x55a5634972a0 msgid 1 (infinite timeout)
wait4msg continue ld 0x55a5634972a0 msgid 1 all 1
** ld 0x55a5634972a0 Connections:
* host: localhost port: 636 (default)
refcnt: 2 status: Connected
last used: Thu Jun 4 04:39:35 2020
** ld 0x55a5634972a0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x55a5634972a0 request count 1 (abandoned 0)
** ld 0x55a5634972a0 Response Queue:
Empty
ld 0x55a5634972a0 response count 0
ldap_chkResponseList ld 0x55a5634972a0 msgid 1 all 1
ldap_chkResponseList returns ld 0x55a5634972a0 NULL
ldap_int_select
read1msg: ld 0x55a5634972a0 msgid 1 all 1
ber_get_next
ldap_err2string
ldap_start_tls: Can't contact LDAP server (-1)
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 1 1
ldap_free_connection: actually freed
- I've tried both ldap:// and ldaps://
- Recreated a key as follows both as a CA and to sign a server key. I've tried adding the CA key and the server key, both with the Common Name matching the hostname of the LDAP server.
I've followed suggested solution on this similar error.... Some systems cannot connect to ldap via ldaps, but others can, is it the wildcard cert?
- I'm running and connecting to the docker container from Ubuntu 18.04.4
Certificates
Create a key with and without -des3
openssl genrsa -des3 -out root.key 4096
Create certificate request without password.
openssl req -new -days 365 -key root.key -out root.csr
Signed the certificate
openssl x509 -in root.csr -req -signkey root.key -out root.crt -days 365
Added to store and specified path in Dockerfile
sudo dpkg-reconfigure ca-certificates
When running the server they keys are showing correctly in the certs folder on the server.
Files
Docker file
FROM osixia/openldap:1.3.0
MAINTAINER dave@daverussell.co.uk
ADD bootstrap /container/service/slapd/assets/config/bootstrap
ADD certs /container/service/slapd/assets/certs
ADD environment /container/environment/01-custom
I've created my own keys and the certificates are copied to the certs directory when I build the image.
docker-compose.yaml
version: '3'
services:
ldap_jtc:
build: ./build
image: osixia/openldap:1.3.0
container_name: ldap_jtc
command: --loglevel debug --copy-service
environment:
LDAP_LOG_LEVEL: 256
LDAP_ORGANISATION: "JTC Ltd"
LDAP_DOMAIN: ldap_jtc
LDAP_BASE_DN: ldap_jtc
LDAP_ADMIN_PASSWORD: admin
LDAP_CONFIG_PASSWORD: config
LDAP_READONLY_USER: "false"
LDAP_RFC2307BIS_SCHEMA: "false"
LDAP_BACKEND: mdb
LDAP_TLS: "false"
LDAP_TLS_CRT_FILENAME: root.crt
LDAP_TLS_KEY_FILENAME: root.key
LDAP_TLS_CA_CRT_FILENAME: root.crt
LDAP_TLS_ENFORCE: "false"
LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
LDAP_TLS_PROTOCOL_MIN: 3.1
LDAP_TLS_VERIFY_CLIENT: try
LDAP_REPLICATION: "false"
KEEP_EXISTING_CONFIG: "false"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
LDAP_SSL_HELPER_PREFIX: ldap
tty: true
stdin_open: true
volumes:
- "ldap_data:/var/lib/ldap"
- "ldap_conf:/etc/ldap/slapd.d"
- "ldap_cert:/container/service/slapd/assets/certs/"
ports:
- "389:389"
- "636:636"
domainname: "ldap_jtc" # important: same as hostname
hostname: "ldap_jtc"
volumes:
ldap_data:
ldap_conf:
ldap_cert:
Troubleshooting
Debug Docker Compose Build and Run
Before running....
- Removed containers, images and volumes.
- Set debug output and copy service in the docker-compose by setting command: --loglevel debug --copy-service
Input
docker-compose up --build
Output
Creating volume "ldap_ldap_conf" with default driver
Creating volume "ldap_ldap_cert" with default driver
Creating volume "ldap_ldap_data" with default driver
Building ldap_jtc
Step 1/5 : FROM osixia/openldap:1.3.0
1.3.0: Pulling from osixia/openldap
8d691f585fa8: Pull complete
a5325a759667: Pull complete
21608ed88645: Pull complete
43c68a1f13be: Pull complete
24b4bb91f7a0: Pull complete
0e00059d443d: Pull complete
cb38955b6eb8: Pull complete
e930e18e9ac7: Pull complete
96d76b6db5da: Pull complete
Digest: sha256:66bf8dafc3c47a387dfa9d87425acab96acd8a3f2a62a8f6393584c27777cb41
Status: Downloaded newer image for osixia/openldap:1.3.0
---> faac9bb59f83
Step 2/5 : MAINTAINER dave@daverussell.co.uk
---> Running in 59d607b56ded
Removing intermediate container 59d607b56ded
---> 7645d9e22e7a
Step 3/5 : ADD bootstrap /container/service/slapd/assets/config/bootstrap
---> f663d14466cb
Step 4/5 : ADD certs /container/service/slapd/assets/certs
---> de1da8d9d6f0
Step 5/5 : ADD environment /container/environment/01-custom
---> 2426482381ee
Successfully built 2426482381ee
Successfully tagged osixia/openldap:1.3.0
Creating ldap_jtc ...
Creating ldap_jtc ... done
Attaching to ldap_jtc
ldap_jtc | *** CONTAINER_LOG_LEVEL = 4 (debug)
ldap_jtc | *** Copy /container/service to /container/run/service
ldap_jtc | *** Search service in CONTAINER_SERVICE_DIR = /container/run/service :
ldap_jtc | *** link /container/run/service/:ssl-tools/startup.sh to /container/run/startup/:ssl-tools
ldap_jtc | *** link /container/run/service/slapd/startup.sh to /container/run/startup/slapd
ldap_jtc | *** link /container/run/service/slapd/process.sh to /container/run/process/slapd/run
ldap_jtc | *** Set environment for startup files
ldap_jtc | *** ignore : LANG = en_US.UTF-8 (keep LANG = en_US.UTF-8 )
ldap_jtc | *** ignore : LANGUAGE = en_US.UTF-8 (keep LANGUAGE = en_US:en )
ldap_jtc | *** Environment files will be proccessed in this order :
ldap_jtc | Caution: previously defined variables will not be overriden.
ldap_jtc | /container/environment/99-default/default.startup.yaml
ldap_jtc | /container/environment/99-default/default.yaml
ldap_jtc |
ldap_jtc | *** --- process file : /container/environment/99-default/default.startup.yaml ---
ldap_jtc | *** ignore : LDAP_ORGANISATION = Example Inc. (keep LDAP_ORGANISATION = JTC Ltd )
ldap_jtc | *** ignore : LDAP_DOMAIN = example.org (keep LDAP_DOMAIN = ldap_jtc )
ldap_jtc | *** ignore : LDAP_BASE_DN = (keep LDAP_BASE_DN = ldap_jtc )
ldap_jtc | *** ignore : LDAP_ADMIN_PASSWORD = admin (keep LDAP_ADMIN_PASSWORD = admin )
ldap_jtc | *** ignore : LDAP_CONFIG_PASSWORD = config (keep LDAP_CONFIG_PASSWORD = config )
ldap_jtc | *** ignore : LDAP_READONLY_USER = False (keep LDAP_READONLY_USER = false )
ldap_jtc | *** ignore : LDAP_RFC2307BIS_SCHEMA = False (keep LDAP_RFC2307BIS_SCHEMA = false )
ldap_jtc | *** ignore : LDAP_BACKEND = mdb (keep LDAP_BACKEND = mdb )
ldap_jtc | *** ignore : LDAP_TLS = True (keep LDAP_TLS = false )
ldap_jtc | *** ignore : LDAP_TLS_CRT_FILENAME = ldap.crt (keep LDAP_TLS_CRT_FILENAME = ldap_jtc.crt )
ldap_jtc | *** ignore : LDAP_TLS_KEY_FILENAME = ldap.key (keep LDAP_TLS_KEY_FILENAME = ldap_jtc.key )
ldap_jtc | *** ignore : LDAP_TLS_DH_PARAM_FILENAME = dhparam.pem (keep LDAP_TLS_DH_PARAM_FILENAME = ldap_jtc.csr )
ldap_jtc | *** ignore : LDAP_TLS_CA_CRT_FILENAME = ca.crt (keep LDAP_TLS_CA_CRT_FILENAME = root_jtc.crt )
ldap_jtc | *** ignore : LDAP_TLS_ENFORCE = False (keep LDAP_TLS_ENFORCE = false )
ldap_jtc | *** ignore : LDAP_TLS_CIPHER_SUITE = SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC (keep LDAP_TLS_CIPHER_SUITE = SECURE256:-VERS-SSL3.0 )
ldap_jtc | *** ignore : LDAP_TLS_VERIFY_CLIENT = demand (keep LDAP_TLS_VERIFY_CLIENT = demand )
ldap_jtc | *** ignore : LDAP_REPLICATION = False (keep LDAP_REPLICATION = false )
ldap_jtc | *** ignore : KEEP_EXISTING_CONFIG = False (keep KEEP_EXISTING_CONFIG = false )
ldap_jtc | *** ignore : LDAP_REMOVE_CONFIG_AFTER_SETUP = True (keep LDAP_REMOVE_CONFIG_AFTER_SETUP = true )
ldap_jtc | *** ignore : LDAP_SSL_HELPER_PREFIX = ldap (keep LDAP_SSL_HELPER_PREFIX = ldap )
ldap_jtc | *** --- process file : /container/environment/99-default/default.yaml ---
ldap_jtc | *** ignore : LDAP_LOG_LEVEL = 256 (keep LDAP_LOG_LEVEL = 256 )
ldap_jtc | *** Run commands before startup...
ldap_jtc | *** Running /container/run/startup/:ssl-tools...
ldap_jtc | *** ------------ Environment dump ------------
ldap_jtc | *** PATH = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ldap_jtc | *** HOSTNAME = ldap_jtc
ldap_jtc | *** TERM = xterm
ldap_jtc | *** LDAP_LOG_LEVEL = 256
ldap_jtc | *** LDAP_REPLICATION = false
ldap_jtc | *** LDAP_TLS_VERIFY_CLIENT = demand
ldap_jtc | *** LDAP_TLS_CRT_FILENAME = ldap_jtc.crt
ldap_jtc | *** LDAP_TLS = false
ldap_jtc | *** LDAP_TLS_PROTOCOL_MIN = 3.1
ldap_jtc | *** LDAP_ORGANISATION = JTC Ltd
ldap_jtc | *** LDAP_ADMIN_PASSWORD = admin
ldap_jtc | *** LDAP_DOMAIN = ldap_jtc
ldap_jtc | *** LDAP_TLS_DH_PARAM_FILENAME = ldap_jtc.csr
ldap_jtc | *** KEEP_EXISTING_CONFIG = false
ldap_jtc | *** LDAP_SSL_HELPER_PREFIX = ldap
ldap_jtc | *** LDAP_BASE_DN = ldap_jtc
ldap_jtc | *** LDAP_TLS_CA_CRT_FILENAME = root_jtc.crt
ldap_jtc | *** LDAP_TLS_ENFORCE = false
ldap_jtc | *** LDAP_READONLY_USER = false
ldap_jtc | *** LDAP_TLS_KEY_FILENAME = ldap_jtc.key
ldap_jtc | *** LDAP_CONFIG_PASSWORD = config
ldap_jtc | *** LDAP_REMOVE_CONFIG_AFTER_SETUP = true
ldap_jtc | *** LDAP_TLS_CIPHER_SUITE = SECURE256:-VERS-SSL3.0
ldap_jtc | *** LDAP_BACKEND = mdb
ldap_jtc | *** LDAP_RFC2307BIS_SCHEMA = false
ldap_jtc | *** LANG = en_US.UTF-8
ldap_jtc | *** LANGUAGE = en_US:en
ldap_jtc | *** LC_ALL = en_US.UTF-8
ldap_jtc | *** HOME = /root
ldap_jtc | *** CONTAINER_SERVICE_DIR = /container/run/service
ldap_jtc | *** CONTAINER_STATE_DIR = /container/run/state
ldap_jtc | *** CONTAINER_LOG_LEVEL = 4
ldap_jtc | *** INITRD = no
ldap_jtc | *** LC_CTYPE = en_US.UTF-8
ldap_jtc | *** LDAP_READONLY_USER_USERNAME = readonly
ldap_jtc | *** LDAP_READONLY_USER_PASSWORD = readonly
ldap_jtc | *** LDAP_REPLICATION_CONFIG_SYNCPROV = binddn="cn=admin,cn=config" bindmethod=simple credentials="$LDAP_CONFIG_PASSWORD" searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical
ldap_jtc | *** LDAP_REPLICATION_DB_SYNCPROV = binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials="$LDAP_ADMIN_PASSWORD" searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical
ldap_jtc | *** LDAP_REPLICATION_HOSTS = #COMPLEX_BASH_ENV:TABLE: LDAP_REPLICATION_HOSTS_ROW_1 LDAP_REPLICATION_HOSTS_ROW_2
ldap_jtc | *** SSL_HELPER_AUTO_RENEW_SERVICES_IMPACTED = slapd
ldap_jtc | *** LDAP_NOFILE = 1024
ldap_jtc | *** DISABLE_CHOWN = False
ldap_jtc | *** LDAP_REPLICATION_HOSTS_ROW_1 = ldap://ldap.example.org
ldap_jtc | *** LDAP_REPLICATION_HOSTS_ROW_2 = ldap://ldap2.example.org
ldap_jtc | *** ------------------------------------------
ldap_jtc | *** Running /container/run/startup/slapd...
ldap_jtc | *** ------------ Environment dump ------------
ldap_jtc | *** CONTAINER_LOG_LEVEL = 4
ldap_jtc | *** CONTAINER_SERVICE_DIR = /container/run/service
ldap_jtc | *** CONTAINER_STATE_DIR = /container/run/state
ldap_jtc | *** DISABLE_CHOWN = False
ldap_jtc | *** HOME = /root
ldap_jtc | *** HOSTNAME = ldap_jtc
ldap_jtc | *** INITRD = no
ldap_jtc | *** KEEP_EXISTING_CONFIG = false
ldap_jtc | *** LANG = en_US.UTF-8
ldap_jtc | *** LANGUAGE = en_US:en
ldap_jtc | *** LC_ALL = en_US.UTF-8
ldap_jtc | *** LC_CTYPE = en_US.UTF-8
ldap_jtc | *** LDAP_ADMIN_PASSWORD = admin
ldap_jtc | *** LDAP_BACKEND = mdb
ldap_jtc | *** LDAP_BASE_DN = ldap_jtc
ldap_jtc | *** LDAP_CONFIG_PASSWORD = config
ldap_jtc | *** LDAP_DOMAIN = ldap_jtc
ldap_jtc | *** LDAP_LOG_LEVEL = 256
ldap_jtc | *** LDAP_NOFILE = 1024
ldap_jtc | *** LDAP_ORGANISATION = JTC Ltd
ldap_jtc | *** LDAP_READONLY_USER = false
ldap_jtc | *** LDAP_READONLY_USER_PASSWORD = readonly
ldap_jtc | *** LDAP_READONLY_USER_USERNAME = readonly
ldap_jtc | *** LDAP_REMOVE_CONFIG_AFTER_SETUP = true
ldap_jtc | *** LDAP_REPLICATION = false
ldap_jtc | *** LDAP_REPLICATION_CONFIG_SYNCPROV = binddn="cn=admin,cn=config" bindmethod=simple credentials="$LDAP_CONFIG_PASSWORD" searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical
ldap_jtc | *** LDAP_REPLICATION_DB_SYNCPROV = binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials="$LDAP_ADMIN_PASSWORD" searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical
ldap_jtc | *** LDAP_REPLICATION_HOSTS = #COMPLEX_BASH_ENV:TABLE: LDAP_REPLICATION_HOSTS_ROW_1 LDAP_REPLICATION_HOSTS_ROW_2
ldap_jtc | *** LDAP_REPLICATION_HOSTS_ROW_1 = ldap://ldap.example.org
ldap_jtc | *** LDAP_REPLICATION_HOSTS_ROW_2 = ldap://ldap2.example.org
ldap_jtc | *** LDAP_RFC2307BIS_SCHEMA = false
ldap_jtc | *** LDAP_SSL_HELPER_PREFIX = ldap
ldap_jtc | *** LDAP_TLS = false
ldap_jtc | *** LDAP_TLS_CA_CRT_FILENAME = root_jtc.crt
ldap_jtc | *** LDAP_TLS_CIPHER_SUITE = SECURE256:-VERS-SSL3.0
ldap_jtc | *** LDAP_TLS_CRT_FILENAME = ldap_jtc.crt
ldap_jtc | *** LDAP_TLS_DH_PARAM_FILENAME = ldap_jtc.csr
ldap_jtc | *** LDAP_TLS_ENFORCE = false
ldap_jtc | *** LDAP_TLS_KEY_FILENAME = ldap_jtc.key
ldap_jtc | *** LDAP_TLS_PROTOCOL_MIN = 3.1
ldap_jtc | *** LDAP_TLS_VERIFY_CLIENT = demand
ldap_jtc | *** PATH = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ldap_jtc | *** SSL_HELPER_AUTO_RENEW_SERVICES_IMPACTED = slapd
ldap_jtc | *** TERM = xterm
ldap_jtc | *** ------------------------------------------
ldap_jtc | Database and config directory are empty...
ldap_jtc | Init new ldap server...
Show Certificates
A. Run from Host
Input
openssl s_client -showcerts -connect localhost:636
Output
CONNECTED(00000005)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 311 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
b. Run from container
Input
sudo docker exec -it ldap_jtc bash
Running on container...
root@ldap_jtc:/# openssl s_client -showcerts -connect 127.0.0.1:636
Output
139636822721664:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:
139636822721664:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=111
