LDAPS connection (Ubuntu 20.04)

Hi,
I almost have the same issue than @andrin here LDAPS fails to contact server (LDAP works) (but not the same OS version)

Can’t make LDAP connection works.

I always have the following error:

    2021-10-04 17:06:51 ../common/user-mgr.c(299): ldap_bind failed for user uid=xxx,cn=users,dc=xxx,dc=fr: Can't contact LDAP server.
    2021-10-04 17:06:51 ../common/user-mgr.c(384): Please check USER_DN and PASSWORD settings.

It is a new Seafile Server using last Seafile server version (8.0.6) on Ubuntu 20.04.
My previous Seafile server (7.0.5) on Debian 8 with the same LDAP parameters works fine.

On Debian 8, I had to move Seafile bundled ldap related libraries like described in the doc (LDAP/AD Integration - Seafile Admin Manual), in my comprehension it isn’t necessary under Ubuntu 20.04 (morevover all files listed doesn’t exist).

Of course I test my LDAP connection with ldap_search (and it’s OK)

What can I do ?
How can I debug ?

Thanks a lot

The best way is to use the Docker version to avoid library compatibility issues. We have tested the docker version a few weeks ago. LDAPS should work.

Thanks, just tried Docker version same problem :cry:

For information my LDAP configuration:

[LDAP]
HOST = ldaps://ldap.xxx.fr:636
BASE = cn=users,dc=xxx,dc=fr
USER_DN = uid=xxx,cn=users,dc=xxx,dc=fr
PASSWORD = xxx
LOGIN_ATTR = mail
FILTER = memberof=CN=uDrive,CN=groups,DC=xxx,DC=fr

More information :slight_smile:

LDAP is a Synology LDAP

Ldap search command to validate configuration:

ldapsearch -b 'cn=users,dc=xxx,dc=fr' -xH ldaps://xxx:636 -D "uid=xxx,cn=users,dc=xxx,dc=fr" -W

We don’t have a Synology LDAP available. But we will give LDAP a try. Last time, we checked with AD.

Thanks, I think LDAP and Synology LDAP are the same
I think the problem is TLS negotiation, if I can help like make test in debug mode let me know, my Seafile server isn’t in production mode I can brake it :slight_smile:

:wave:
Did you have time to test LDAP (not AD) connection ?
I’ve got a brand new server waiting to be used with the latest version of Seafile.

How can I help you ?

We find that you need to modify /etc/ldap/ldap.conf in Ubuntu to make LDAPS work.

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
                   |
                   v
# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT     allow

We will include such a modification in docker image for Seafile 9.0.

Regarding the Docker version (which is Ubuntu): I had to build the container with an updated ca-certificates package and everything worked perfectly from that point forward. I guess the pre-built containers are using an old package? Just to be sure, I also included the ldap-utils package so I could manually run tests like ldapsearch from within the container.

I gave more details in this post since I was also just facing this issue.

I hope this helps, good luck!

Thanks for finding the problem.
Why is this not in the manual? Not having such information there causes a lot of headache and is very time consuming.

According to ldap manuals the setting " TLSVerifyClient" should rather be used. But either should work.

TLS_REQCERT=allow will disable certificate verification. It should never be done, nor required. Hope you won’t include such a security disaster on the Docker image

1 Like

In the documentation I read

“With a setting of allow the server will ask for a client certificate; if none is provided the session proceeds normally. If a certificate is provided but the server is unable to verify it, the certificate is ignored and the session proceeds normally, as if no certificate had been provided.”

Doesn’t look close to certificate validation is is disabled by the option.

Why does it disable certificate validation?

https://www.openldap.org/software//man.cgi?query=ldap.conf&sektion=5&apropos=0&manpath=OpenLDAP+2.4-Release

TLS_REQCERT=allow disables server certificate (the one of the ldap server) check by the client (seafile)

Argh I didn’t see there is answers to my thread :confused:

Unfortunately, LDAP connection still doesn’t woks even with this configuration in /etc/ldap/ldap.conf

I add the line, restart Seafile, but I still have this error:

2022-05-18 13:48:22 ../common/user-mgr.c(299): ldap_bind failed for user uid=my-user-dn,cn=users,dc=domain,dc=fr: Can't contact LDAP server.
2022-05-18 13:48:22 ../common/user-mgr.c(384): Please check USER_DN and PASSWORD settings.

But if I try with ldapsearch from the same server with the same connection information it’s OK:

ldapsearch -b 'cn=users,dc=domain,dc=fr' -xH ldaps://ldap.domain.fr:636 -D "uid=my-user-dn,cn=users,dc=domain,dc=fr" -W

ccnet.conf (anonymised) :

[LDAP]
HOST = ldaps://ldap.domain.fr:636
BASE = cn=users,dc=domain,dc=fr
USER_DN = uid=my-user-dn,cn=users,dc=domain,dc=fr
PASSWORD = my-password
LOGIN_ATTR = mail
FILTER = memberof=CN=uDrive,CN=groups,DC=domain,DC=fr

:tada: it’s finally work with a fresh install of the latest seafile :tada::tada::tada: