Seafile Docker: LDAPS not working

Hello guys,

right now I set up a docker container to migrate my old seafile-server. On the old server I’ve used ldap to connect to my ad and I want to use this in my new environment with ldaps to get a bit more security :slight_smile:

What I’ve done:
LDAP Connection in docker is working. I can authenticate in the way I want to (memberOf etc.).

Whats my problem:
I cant connect to my active directory (windows server 2016) using ldaps - do you guys have some tips to get this running inside the docker container? I cant find a solution to do this inside my container.

Steps I’ve tried:

  • mounted the cacert from my domaincontroller to /etc/ssl/certs/cacert.crt

  • tried to move the following libs to another location (found this in other threads): liblber-2.4.so.2 libldap-2.4.so.2 libsasl2.so.3 libldap_r-2.4.so.2 (its an ubuntu-image I think - so I tried the “debian-way”. Hope thats right).

  • ccnet.conf:

    [LDAP]
    HOST = ldaps://dc01.domain.tld:636/
    BASE = DNOFBASEOU
    USER_DN = serviceuser@domain.tld
    PASSWORD = password
    LOGIN_ATTR = mail
    FILTER = memberOf=DNOFGROUP

Versions I use:

  • Docker with Rancher v2
  • Latest seafileltd/seafile release
  • Docker/Rancher on newest CentOS.

Thank you guys! Have a nice day :slight_smile:

atomique

Ps.: Authentication with LDAP is working. It must have to do something with my cert / certpath / ldap-libs? I only have a problem with LDAPS / LDAP with TLS

EDIT: Seems like I have the following problem, what do you think? https://github.com/haiwen/seafile-docker/issues/61

Hi,

I just setup seafile pro (7.0.5) in a VM and had this behaviour while connecting to openldap - on Debian and then tried CentOS 7 - also with the same result…

Have a look to /etc/openldap/ldap.conf - there is a TLS_CACERTDIR value pointing to the certificates.
TLS_CACERTDIR = /etc/openldap/cacerts
On a fresh installed Centos this directory doesn’t exist and then LDAPS fails completely.

For a first test you can disable cert test for LDAP
TLS_REQCERT never

But the right solution is to set the solution is to set TLS_CACERTDIR to a valid CA directory. We use public certificates … I created a softlink

# ls -l /etc/openldap/cacerts
lrwxrwxrwx. 1 root root 15 Jul 18 10:25 /etc/openldap/cacerts -> /etc/ssl/certs/

(restart seafile and seahub)

@seafile developers: The current output on ldap problems is quite minimal and it is hard to find the real problem. Maybe you can add an option for more debug output … in PHP style it is
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);

regards,
Axel

Hey @axelhahn,

thank you for that answer - I havent seen it until now, but I will give it a try in the next time. I will write down if I have success with this!

Thanks a lot!

Have a look to /etc/openldap/ldap.conf - there is a TLS_CACERTDIR value pointing to the certificates.
TLS_CACERTDIR = /etc/openldap/cacerts
On a fresh installed Centos this directory doesn’t exist and then LDAPS fails completely.

This directory is for the openldap-clients, that you don’t need. The correct directory for your CA certificates on CentOS is /etc/pki/tls/certs. Don’t forget to create symbolic links of the hashes to the certificate files.

# openssl x509 -hash -noout -in ca.pem
11ccac9c
# ln -s ca.pem 11ccac9c.0
# ls -l
lrwxrwxrwx. 1 root root       7 21. Mar 2017  11ccac9c.0 -> ca.pem

Regards,
Dirk