LDAPS connection (Ubuntu 20.04)

VoidAndAny · October 4, 2021, 3:19pm

Hi,
I almost have the same issue than @andrin here LDAPS fails to contact server (LDAP works) (but not the same OS version)

Can’t make LDAP connection works.

I always have the following error:

    2021-10-04 17:06:51 ../common/user-mgr.c(299): ldap_bind failed for user uid=xxx,cn=users,dc=xxx,dc=fr: Can't contact LDAP server.
    2021-10-04 17:06:51 ../common/user-mgr.c(384): Please check USER_DN and PASSWORD settings.

It is a new Seafile Server using last Seafile server version (8.0.6) on Ubuntu 20.04.
My previous Seafile server (7.0.5) on Debian 8 with the same LDAP parameters works fine.

On Debian 8, I had to move Seafile bundled ldap related libraries like described in the doc (LDAP/AD Integration - Seafile Admin Manual), in my comprehension it isn’t necessary under Ubuntu 20.04 (morevover all files listed doesn’t exist).

Of course I test my LDAP connection with ldap_search (and it’s OK)

What can I do ?
How can I debug ?

Thanks a lot

daniel.pan · October 5, 2021, 9:36am

The best way is to use the Docker version to avoid library compatibility issues. We have tested the docker version a few weeks ago. LDAPS should work.

VoidAndAny · October 5, 2021, 11:36am

Thanks, just tried Docker version same problem

VoidAndAny · October 5, 2021, 11:45am

For information my LDAP configuration:

[LDAP]
HOST = ldaps://ldap.xxx.fr:636
BASE = cn=users,dc=xxx,dc=fr
USER_DN = uid=xxx,cn=users,dc=xxx,dc=fr
PASSWORD = xxx
LOGIN_ATTR = mail
FILTER = memberof=CN=uDrive,CN=groups,DC=xxx,DC=fr

VoidAndAny · October 5, 2021, 11:55am

More information

LDAP is a Synology LDAP

Ldap search command to validate configuration:

ldapsearch -b 'cn=users,dc=xxx,dc=fr' -xH ldaps://xxx:636 -D "uid=xxx,cn=users,dc=xxx,dc=fr" -W

daniel.pan · October 6, 2021, 2:46am

We don’t have a Synology LDAP available. But we will give LDAP a try. Last time, we checked with AD.

VoidAndAny · October 6, 2021, 7:05am

Thanks, I think LDAP and Synology LDAP are the same
I think the problem is TLS negotiation, if I can help like make test in debug mode let me know, my Seafile server isn’t in production mode I can brake it

VoidAndAny · October 27, 2021, 8:46am

Did you have time to test LDAP (not AD) connection ?
I’ve got a brand new server waiting to be used with the latest version of Seafile.

How can I help you ?

daniel.pan · November 11, 2021, 5:59am

We find that you need to modify /etc/ldap/ldap.conf in Ubuntu to make LDAPS work.

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
                   |
                   v
# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT     allow

We will include such a modification in docker image for Seafile 9.0.

asifbacchus · November 11, 2021, 8:24am

Regarding the Docker version (which is Ubuntu): I had to build the container with an updated ca-certificates package and everything worked perfectly from that point forward. I guess the pre-built containers are using an old package? Just to be sure, I also included the ldap-utils package so I could manually run tests like ldapsearch from within the container.

I gave more details in this post since I was also just facing this issue.

I hope this helps, good luck!

DerDanilo · February 22, 2022, 7:44pm

daniel.pan:

 TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
                   |
                   v
# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT     allow

Thanks for finding the problem.
Why is this not in the manual? Not having such information there causes a lot of headache and is very time consuming.

According to ldap manuals the setting " TLSVerifyClient" should rather be used. But either should work.

dani · February 24, 2022, 8:44pm

TLS_REQCERT=allow will disable certificate verification. It should never be done, nor required. Hope you won’t include such a security disaster on the Docker image

shoeper · February 24, 2022, 9:58pm

In the documentation I read

“With a setting of allow the server will ask for a client certificate; if none is provided the session proceeds normally. If a certificate is provided but the server is unable to verify it, the certificate is ignored and the session proceeds normally, as if no certificate had been provided.”

Doesn’t look close to certificate validation is is disabled by the option.

Why does it disable certificate validation?

dani · February 24, 2022, 10:28pm

https://www.openldap.org/software//man.cgi?query=ldap.conf&sektion=5&apropos=0&manpath=OpenLDAP+2.4-Release

TLS_REQCERT=allow disables server certificate (the one of the ldap server) check by the client (seafile)

VoidAndAny · May 18, 2022, 11:57am

Argh I didn’t see there is answers to my thread

Unfortunately, LDAP connection still doesn’t woks even with this configuration in /etc/ldap/ldap.conf

I add the line, restart Seafile, but I still have this error:

2022-05-18 13:48:22 ../common/user-mgr.c(299): ldap_bind failed for user uid=my-user-dn,cn=users,dc=domain,dc=fr: Can't contact LDAP server.
2022-05-18 13:48:22 ../common/user-mgr.c(384): Please check USER_DN and PASSWORD settings.

But if I try with ldapsearch from the same server with the same connection information it’s OK:

ldapsearch -b 'cn=users,dc=domain,dc=fr' -xH ldaps://ldap.domain.fr:636 -D "uid=my-user-dn,cn=users,dc=domain,dc=fr" -W

ccnet.conf (anonymised) :

[LDAP]
HOST = ldaps://ldap.domain.fr:636
BASE = cn=users,dc=domain,dc=fr
USER_DN = uid=my-user-dn,cn=users,dc=domain,dc=fr
PASSWORD = my-password
LOGIN_ATTR = mail
FILTER = memberof=CN=uDrive,CN=groups,DC=domain,DC=fr

VoidAndAny · May 18, 2022, 4:48pm

it’s finally work with a fresh install of the latest seafile