LDAPS connection (Ubuntu 20.04)

VoidAndAny · October 5, 2021, 11:36am

Hi,
I almost have the same issue than @andrin here LDAPS fails to contact server (LDAP works) (but not the same OS version)

Can’t make LDAP connection works.

I always have the following error:

    2021-10-04 17:06:51 ../common/user-mgr.c(299): ldap_bind failed for user uid=xxx,cn=users,dc=xxx,dc=fr: Can't contact LDAP server.
    2021-10-04 17:06:51 ../common/user-mgr.c(384): Please check USER_DN and PASSWORD settings.

It is a new Seafile Server using last Seafile server version (8.0.6) on Ubuntu 20.04.
My previous Seafile server (7.0.5) on Debian 8 with the same LDAP parameters works fine.

On Debian 8, I had to move Seafile bundled ldap related libraries like described in the doc (LDAP/AD Integration - Seafile Admin Manual), in my comprehension it isn’t necessary under Ubuntu 20.04 (morevover all files listed doesn’t exist).

Of course I test my LDAP connection with ldap_search (and it’s OK)

What can I do ?
How can I debug ?

Thanks a lot

daniel.pan · October 5, 2021, 9:36am

The best way is to use the Docker version to avoid library compatibility issues. We have tested the docker version a few weeks ago. LDAPS should work.

VoidAndAny · October 5, 2021, 11:36am

Thanks, just tried Docker version same problem

VoidAndAny · October 5, 2021, 11:45am

For information my LDAP configuration:

[LDAP]
HOST = ldaps://ldap.xxx.fr:636
BASE = cn=users,dc=xxx,dc=fr
USER_DN = uid=xxx,cn=users,dc=xxx,dc=fr
PASSWORD = xxx
LOGIN_ATTR = mail
FILTER = memberof=CN=uDrive,CN=groups,DC=xxx,DC=fr

VoidAndAny · October 5, 2021, 11:55am

More information

LDAP is a Synology LDAP

Ldap search command to validate configuration:

ldapsearch -b 'cn=users,dc=xxx,dc=fr' -xH ldaps://xxx:636 -D "uid=xxx,cn=users,dc=xxx,dc=fr" -W

daniel.pan · October 6, 2021, 2:46am

We don’t have a Synology LDAP available. But we will give LDAP a try. Last time, we checked with AD.

VoidAndAny · October 6, 2021, 7:05am

Thanks, I think LDAP and Synology LDAP are the same
I think the problem is TLS negotiation, if I can help like make test in debug mode let me know, my Seafile server isn’t in production mode I can brake it

VoidAndAny · October 27, 2021, 8:46am

Did you have time to test LDAP (not AD) connection ?
I’ve got a brand new server waiting to be used with the latest version of Seafile.

How can I help you ?

daniel.pan · November 11, 2021, 5:59am

We find that you need to modify /etc/ldap/ldap.conf in Ubuntu to make LDAPS work.

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
                   |
                   v
# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT     allow

We will include such a modification in docker image for Seafile 9.0.

asifbacchus · November 11, 2021, 8:24am

Regarding the Docker version (which is Ubuntu): I had to build the container with an updated ca-certificates package and everything worked perfectly from that point forward. I guess the pre-built containers are using an old package? Just to be sure, I also included the ldap-utils package so I could manually run tests like ldapsearch from within the container.

I gave more details in this post since I was also just facing this issue.

I hope this helps, good luck!