starred/lldap-lldap
1
0
Fork 0
mirror of https://github.com/lldap/lldap.git synced 2026-04-25 16:25:55 +03:00
Code Issues 101 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #926] [BUG] 🚨 [error]: [LDAPS] Service Error: while handling incoming messages: while receiving LDAP op: unexpected end of file #335

New issue
Closed
opened 2026-02-27 08:16:43 +03:00 by kerem · 7 comments
kerem commented 2026-02-27 08:16:43 +03:00
Owner
Copy link

Originally created by @danthonywalker on GitHub (Jul 3, 2024).
Original GitHub issue: https://github.com/lldap/lldap/issues/926

Describe the bug
When trying to use the following command to test LLDAP:
ldapsearch -x -H ldaps://<IP> -D 'cn=user,ou=people,DC=example,DC=com' -w 'password' -b 'DC=example,DC=com'
I get the error as specified in the titled. ldapsearch prints ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1).
Meanwhile
ldapsearch -x -H ldap://<IP> -D 'cn=user,ou=people,DC=example,DC=com' -w 'password' -b 'DC=example,DC=com'
Does work, so LLDAP is discoverable.

To Reproduce
I have this as my docker-compose:

services:
  lldap:
    image: lldap/lldap:v0.5.0
    container_name: lldap
    restart: unless-stopped
    env_file: stack.env
    networks:
      - nginx
    ports:
      - 389:3890
      - 636:6360
    volumes:
      - lldap:/data
      - letsencrypt:/etc/letsencrypt

networks:
  nginx:
    external: true

volumes:
  lldap:
    name: lldap
  letsencrypt:
    external: true

Expected behavior
I expect LDAPS to work.

Logs

> Setup permissions..

> Starting lldap..

Loading configuration from /data/lldap_config.toml

Configuration: Configuration {

    ldap_host: "0.0.0.0",

    ldap_port: 3890,

    http_host: "0.0.0.0",

    http_port: 17170,

    jwt_secret: ***SECRET***,

    ldap_base_dn: "dc=example,dc=com",

    ldap_user_dn: UserId(

        "admin",

    ),

    ldap_user_email: "",

    ldap_user_pass: ***SECRET***,

    database_url: "sqlite:///data/users.db?mode=rwc",

    ignored_user_attributes: [],

    ignored_group_attributes: [],

    verbose: true,

    key_file: "/data/private_key",

    key_seed: Some(

WARNING: A key_seed was given, we will ignore the server_key and generate one from the seed!

        ***SECRET***,

    ),

    smtp_options: MailOptions {

        enable_password_reset: false,

        from: None,

        reply_to: None,

        server: "localhost",

        port: 587,

        user: "",

        password: ***SECRET***,

        smtp_encryption: Tls,

        tls_required: None,

    },

    ldaps_options: LdapsOptions {

        enabled: true,

        port: 6360,

        cert_file: "/etc/letsencrypt/live/npm-5/cert.pem",

        key_file: "/etc/letsencrypt/live/npm-5/privkey.pem",

    },

    http_url: Url {

        scheme: "http",

        cannot_be_a_base: false,

        username: "",

        password: None,

        host: Some(

            Domain(

                "localhost",

            ),

        ),

        port: None,

        path: "/",

        query: None,

        fragment: None,

    },

    server_setup: None,

}

WARNING: Unsecure default admin password is used.

2024-07-03T03:51:25.477576926+00:00  INFO     set_up_server [ 11.6ms | 47.46% / 100.00% ]

2024-07-03T03:51:25.477668516+00:00  INFO     ┝━ i [info]: Starting LLDAP version 0.5.0

2024-07-03T03:51:25.479378706+00:00  DEBUG    ┝━ get_schema_version [ 432µs | 3.73% ]

2024-07-03T03:51:25.481050535+00:00  DEBUG    │  ┕━ 🐛 [debug]:  | return: Some(SchemaVersion(5))

2024-07-03T03:51:25.481225513+00:00  DEBUG    ┝━ list_groups [ 1.61ms | 13.93% ] filters: Some(DisplayName("lldap_admin"))

2024-07-03T03:51:25.485742116+00:00  DEBUG    │  ┕━ 🐛 [debug]:  | return: [Group { id: GroupId(1), display_name: "lldap_admin", creation_date: 2024-07-03T03:20:33.296500646, uuid: Uuid("78cf83a1-494e-3b47-8981-fa1dd61d7877"), users: [UserId("admin")], attributes: [] }]

2024-07-03T03:51:25.485761856+00:00  DEBUG    ┝━ list_groups [ 1.24ms | 10.71% ] filters: Some(DisplayName("lldap_password_manager"))

2024-07-03T03:51:25.487684308+00:00  DEBUG    │  ┕━ 🐛 [debug]:  | return: [Group { id: GroupId(2), display_name: "lldap_password_manager", creation_date: 2024-07-03T03:20:33.304014234, uuid: Uuid("adc3b6a7-e4c6-3bfb-8dff-64bf958e8896"), users: [], attributes: [] }]

2024-07-03T03:51:25.487700624+00:00  DEBUG    ┝━ list_groups [ 1.08ms | 9.32% ] filters: Some(DisplayName("lldap_strict_readonly"))

2024-07-03T03:51:25.489520601+00:00  DEBUG    │  ┕━ 🐛 [debug]:  | return: [Group { id: GroupId(3), display_name: "lldap_strict_readonly", creation_date: 2024-07-03T03:20:33.313850150, uuid: Uuid("2b3bf3c6-739c-3890-97f2-f56b83e70b4e"), users: [UserId("ldaptruenas")], attributes: [] }]

2024-07-03T03:51:25.489582508+00:00  DEBUG    ┝━ list_users [ 1.31ms | 11.32% ] filters: Some(MemberOf("lldap_admin")) | _get_groups: false

2024-07-03T03:51:25.493420305+00:00  DEBUG    │  ┕━ 🐛 [debug]:  | return: [UserAndGroups { user: User { user_id: UserId("admin"), email: "email@example.com", display_name: Some("Administrator"), creation_date: 2024-07-03T03:20:33.324674107, uuid: Uuid("86a25c48-7b44-3c6b-81c6-576b8609251f"), attributes: [] }, groups: Some([GroupDetails { group_id: GroupId(1), display_name: "lldap_admin", creation_date: 2024-07-03T03:20:33.296500646, uuid: Uuid("78cf83a1-494e-3b47-8981-fa1dd61d7877"), attributes: [] }]) }]

2024-07-03T03:51:25.494243349+00:00  INFO     ┝━ i [info]: Starting the LDAP server on port 3890

2024-07-03T03:51:25.496422007+00:00  INFO     ┝━ i [info]: Starting the LDAPS server on port 6360

2024-07-03T03:51:25.498309594+00:00  DEBUG    ┝━ get_jwt_blacklist [ 409µs | 3.53% ]

2024-07-03T03:51:25.499070452+00:00  INFO     ┕━ i [info]: Starting the API/web server on port 17170

2024-07-03T03:51:25.499615381+00:00  INFO     i [info]: starting 1 workers

2024-07-03T03:51:25.499674028+00:00  INFO     i [info]: Actix runtime found; starting in Actix runtime

2024-07-03T03:51:25.502068365+00:00  INFO     i [info]: DB Cleanup Cron started

2024-07-03T03:51:30.033054559+00:00  DEBUG    🐛 [debug]: decided upon suite TLS13_AES_256_GCM_SHA384 | log.target: "rustls::server::hs" | log.module_path: "rustls::server::hs" | log.file: "/__w/lldap/lldap/${GITHUB_WORKSPACE}/.cargo/registry/src/index.crates.io-6f17d22bba15001f/rustls-0.20.8/src/server/hs.rs" | log.line: 382

2024-07-03T03:51:30.036691814+00:00  INFO     LDAP session [ 297µs | 98.58% / 100.00% ]

2024-07-03T03:51:30.036784462+00:00  INFO     ┕━ LDAP request [ 4.21µs | 1.42% ]

2024-07-03T03:51:30.037073634+00:00  ERROR    🚨 [error]: [LDAPS] Service Error: while handling incoming messages: while receiving LDAP op: unexpected end of file

Additional context
I'm using NGINX Proxy Manager to obtain the certificate to a shared letsencrypt volume. Both NPM and LLDAP are running in Portainer. Permissions should be good because they are both running as UID=1000 and GUID=1000.

Originally created by @danthonywalker on GitHub (Jul 3, 2024). Original GitHub issue: https://github.com/lldap/lldap/issues/926 **Describe the bug** When trying to use the following command to test LLDAP: `ldapsearch -x -H ldaps://<IP> -D 'cn=user,ou=people,DC=example,DC=com' -w 'password' -b 'DC=example,DC=com'` I get the error as specified in the titled. `ldapsearch` prints `ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)`. Meanwhile ``ldapsearch -x -H ldap://<IP> -D 'cn=user,ou=people,DC=example,DC=com' -w 'password' -b 'DC=example,DC=com'`` Does work, so LLDAP is discoverable. **To Reproduce** I have this as my docker-compose: ``` services: lldap: image: lldap/lldap:v0.5.0 container_name: lldap restart: unless-stopped env_file: stack.env networks: - nginx ports: - 389:3890 - 636:6360 volumes: - lldap:/data - letsencrypt:/etc/letsencrypt networks: nginx: external: true volumes: lldap: name: lldap letsencrypt: external: true ``` **Expected behavior** I expect LDAPS to work. **Logs** ``` > Setup permissions.. > Starting lldap.. Loading configuration from /data/lldap_config.toml Configuration: Configuration { ldap_host: "0.0.0.0", ldap_port: 3890, http_host: "0.0.0.0", http_port: 17170, jwt_secret: ***SECRET***, ldap_base_dn: "dc=example,dc=com", ldap_user_dn: UserId( "admin", ), ldap_user_email: "", ldap_user_pass: ***SECRET***, database_url: "sqlite:///data/users.db?mode=rwc", ignored_user_attributes: [], ignored_group_attributes: [], verbose: true, key_file: "/data/private_key", key_seed: Some( WARNING: A key_seed was given, we will ignore the server_key and generate one from the seed! ***SECRET***, ), smtp_options: MailOptions { enable_password_reset: false, from: None, reply_to: None, server: "localhost", port: 587, user: "", password: ***SECRET***, smtp_encryption: Tls, tls_required: None, }, ldaps_options: LdapsOptions { enabled: true, port: 6360, cert_file: "/etc/letsencrypt/live/npm-5/cert.pem", key_file: "/etc/letsencrypt/live/npm-5/privkey.pem", }, http_url: Url { scheme: "http", cannot_be_a_base: false, username: "", password: None, host: Some( Domain( "localhost", ), ), port: None, path: "/", query: None, fragment: None, }, server_setup: None, } WARNING: Unsecure default admin password is used. 2024-07-03T03:51:25.477576926+00:00 INFO set_up_server [ 11.6ms | 47.46% / 100.00% ] 2024-07-03T03:51:25.477668516+00:00 INFO ┝━ i [info]: Starting LLDAP version 0.5.0 2024-07-03T03:51:25.479378706+00:00 DEBUG ┝━ get_schema_version [ 432µs | 3.73% ] 2024-07-03T03:51:25.481050535+00:00 DEBUG │ ┕━ 🐛 [debug]: | return: Some(SchemaVersion(5)) 2024-07-03T03:51:25.481225513+00:00 DEBUG ┝━ list_groups [ 1.61ms | 13.93% ] filters: Some(DisplayName("lldap_admin")) 2024-07-03T03:51:25.485742116+00:00 DEBUG │ ┕━ 🐛 [debug]: | return: [Group { id: GroupId(1), display_name: "lldap_admin", creation_date: 2024-07-03T03:20:33.296500646, uuid: Uuid("78cf83a1-494e-3b47-8981-fa1dd61d7877"), users: [UserId("admin")], attributes: [] }] 2024-07-03T03:51:25.485761856+00:00 DEBUG ┝━ list_groups [ 1.24ms | 10.71% ] filters: Some(DisplayName("lldap_password_manager")) 2024-07-03T03:51:25.487684308+00:00 DEBUG │ ┕━ 🐛 [debug]: | return: [Group { id: GroupId(2), display_name: "lldap_password_manager", creation_date: 2024-07-03T03:20:33.304014234, uuid: Uuid("adc3b6a7-e4c6-3bfb-8dff-64bf958e8896"), users: [], attributes: [] }] 2024-07-03T03:51:25.487700624+00:00 DEBUG ┝━ list_groups [ 1.08ms | 9.32% ] filters: Some(DisplayName("lldap_strict_readonly")) 2024-07-03T03:51:25.489520601+00:00 DEBUG │ ┕━ 🐛 [debug]: | return: [Group { id: GroupId(3), display_name: "lldap_strict_readonly", creation_date: 2024-07-03T03:20:33.313850150, uuid: Uuid("2b3bf3c6-739c-3890-97f2-f56b83e70b4e"), users: [UserId("ldaptruenas")], attributes: [] }] 2024-07-03T03:51:25.489582508+00:00 DEBUG ┝━ list_users [ 1.31ms | 11.32% ] filters: Some(MemberOf("lldap_admin")) | _get_groups: false 2024-07-03T03:51:25.493420305+00:00 DEBUG │ ┕━ 🐛 [debug]: | return: [UserAndGroups { user: User { user_id: UserId("admin"), email: "email@example.com", display_name: Some("Administrator"), creation_date: 2024-07-03T03:20:33.324674107, uuid: Uuid("86a25c48-7b44-3c6b-81c6-576b8609251f"), attributes: [] }, groups: Some([GroupDetails { group_id: GroupId(1), display_name: "lldap_admin", creation_date: 2024-07-03T03:20:33.296500646, uuid: Uuid("78cf83a1-494e-3b47-8981-fa1dd61d7877"), attributes: [] }]) }] 2024-07-03T03:51:25.494243349+00:00 INFO ┝━ i [info]: Starting the LDAP server on port 3890 2024-07-03T03:51:25.496422007+00:00 INFO ┝━ i [info]: Starting the LDAPS server on port 6360 2024-07-03T03:51:25.498309594+00:00 DEBUG ┝━ get_jwt_blacklist [ 409µs | 3.53% ] 2024-07-03T03:51:25.499070452+00:00 INFO ┕━ i [info]: Starting the API/web server on port 17170 2024-07-03T03:51:25.499615381+00:00 INFO i [info]: starting 1 workers 2024-07-03T03:51:25.499674028+00:00 INFO i [info]: Actix runtime found; starting in Actix runtime 2024-07-03T03:51:25.502068365+00:00 INFO i [info]: DB Cleanup Cron started 2024-07-03T03:51:30.033054559+00:00 DEBUG 🐛 [debug]: decided upon suite TLS13_AES_256_GCM_SHA384 | log.target: "rustls::server::hs" | log.module_path: "rustls::server::hs" | log.file: "/__w/lldap/lldap/${GITHUB_WORKSPACE}/.cargo/registry/src/index.crates.io-6f17d22bba15001f/rustls-0.20.8/src/server/hs.rs" | log.line: 382 2024-07-03T03:51:30.036691814+00:00 INFO LDAP session [ 297µs | 98.58% / 100.00% ] 2024-07-03T03:51:30.036784462+00:00 INFO ┕━ LDAP request [ 4.21µs | 1.42% ] 2024-07-03T03:51:30.037073634+00:00 ERROR 🚨 [error]: [LDAPS] Service Error: while handling incoming messages: while receiving LDAP op: unexpected end of file ``` **Additional context** I'm using NGINX Proxy Manager to obtain the certificate to a shared `letsencrypt` volume. Both NPM and LLDAP are running in Portainer. Permissions should be good because they are both running as UID=1000 and GUID=1000.
kerem 2026-02-27 08:16:43 +03:00
  • closed this issue
  • added the
    bug
         label
kerem commented 2026-02-27 08:16:45 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Jul 3, 2024):

Can you run lldap checkhealth (or healthcheck?) from inside the container?
That should tell you whether LDAPS is working. If it is, then maybe you have a reverse proxy in front of it that breaks the connection, or something like that

<!-- gh-comment-id:2205069293 --> @nitnelave commented on GitHub (Jul 3, 2024): Can you run `lldap checkhealth` (or healthcheck?) from inside the container? That should tell you whether LDAPS is working. If it is, then maybe you have a reverse proxy in front of it that breaks the connection, or something like that
kerem commented 2026-02-27 08:16:45 +03:00
Author
Owner
Copy link

@danthonywalker commented on GitHub (Jul 3, 2024):

I do have a reverse proxy, but it's only pointing to the web UI component. Just to make sure though I'm hitting it with the IP of the host directly, but same result. As for the checkhealth, exec'ing in the container when I run lldap I get command not found

<!-- gh-comment-id:2205092841 --> @danthonywalker commented on GitHub (Jul 3, 2024): I do have a reverse proxy, but it's only pointing to the web UI component. Just to make sure though I'm hitting it with the IP of the host directly, but same result. As for the `checkhealth`, exec'ing in the container when I run `lldap` I get `command not found`
kerem commented 2026-02-27 08:16:45 +03:00
Author
Owner
Copy link

@danthonywalker commented on GitHub (Jul 3, 2024):

Nevermind, I figured it out. ./lldap healthcheck gives the following:
image
So LDAPS is working, but ldapsearch is not. I do not know why.

<!-- gh-comment-id:2205097367 --> @danthonywalker commented on GitHub (Jul 3, 2024): Nevermind, I figured it out. `./lldap healthcheck` gives the following: ![image](https://github.com/lldap/lldap/assets/6114565/eb0929a3-8c34-4741-bbfa-cbc68bee927e) So LDAPS is working, but `ldapsearch` is not. I do not know why.
kerem commented 2026-02-27 08:16:45 +03:00
Author
Owner
Copy link

@danthonywalker commented on GitHub (Jul 3, 2024):

Running with -d1 option:

ldap_url_parse_ext(ldaps://IP)
ldap_create
ldap_url_parse_ext(ldaps://IP:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP IP:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying IP:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect: 
connect success
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

So the cert is considered untrusted, despite it being the same cert being used in my reverse proxy that's trusted by my browser.

<!-- gh-comment-id:2205105415 --> @danthonywalker commented on GitHub (Jul 3, 2024): Running with `-d1` option: ``` ldap_url_parse_ext(ldaps://IP) ldap_create ldap_url_parse_ext(ldaps://IP:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP IP:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying IP:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code). ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) ``` So the cert is considered untrusted, despite it being the same cert being used in my reverse proxy that's trusted by my browser.
kerem commented 2026-02-27 08:16:45 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Jul 3, 2024):

The certificate is bound to a domain name. If you access LDAPS directly by ip, it's not going to trust it.

There's an option to ldapsearch to disable certificate checking if you want. Otherwise, you need to query it through the domain.

<!-- gh-comment-id:2205148019 --> @nitnelave commented on GitHub (Jul 3, 2024): The certificate is bound to a domain name. If you access LDAPS directly by ip, it's not going to trust it. There's an option to ldapsearch to disable certificate checking if you want. Otherwise, you need to query it through the domain.
kerem commented 2026-02-27 08:16:45 +03:00
Author
Owner
Copy link

@danthonywalker commented on GitHub (Jul 4, 2024):

Ignoring the certificate isn't really an option since I plan on integrating LLDAP with TrueNAS to allow SMB shares. This only works over LDAPS from what I understand.
I have this command:
ldapsearch -x -H ldaps://ldap.internal.example.com -D 'cn=admin,ou=people,DC=ldap,DC=internal,DC=example,DC=com' -w 'password' -b 'DC=ldap,DC=internal,DC=example,DC=com'
Using openssl x509 -noout -text -in fullchain.pem the certificate has a singular subject of: CN=ldap.internal.example.com
Domain, DN, and certificate subject all match...but still I get this error.

<!-- gh-comment-id:2209484628 --> @danthonywalker commented on GitHub (Jul 4, 2024): Ignoring the certificate isn't really an option since I plan on integrating LLDAP with TrueNAS to allow SMB shares. This only works over LDAPS from what I understand. I have this command: `ldapsearch -x -H ldaps://ldap.internal.example.com -D 'cn=admin,ou=people,DC=ldap,DC=internal,DC=example,DC=com' -w 'password' -b 'DC=ldap,DC=internal,DC=example,DC=com'` Using `openssl x509 -noout -text -in fullchain.pem` the certificate has a singular subject of: `CN=ldap.internal.example.com` Domain, DN, and certificate subject all match...but still I get this error.
kerem commented 2026-02-27 08:16:45 +03:00
Author
Owner
Copy link

@danthonywalker commented on GitHub (Jul 4, 2024):

Okay I figured it out. I needed to install libldap-common which adds my computer's certificates as a part of ldap.conf. Thanking https://serverfault.com/a/1149381 for steering me in this direction.

<!-- gh-comment-id:2209501478 --> @danthonywalker commented on GitHub (Jul 4, 2024): Okay I figured it out. I needed to install `libldap-common` which adds my computer's certificates as a part of `ldap.conf`. Thanking https://serverfault.com/a/1149381 for steering me in this direction.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dependabot/github_actions/codecov/codecov-action-6
copilot/fix-equality-filters-list-attributes
dependabot/github_actions/docker/build-push-action-7
dependabot/github_actions/docker/metadata-action-6
dependabot/github_actions/docker/setup-buildx-action-4
dependabot/github_actions/docker/login-action-4
copilot/update-download-artifact-action
copilot/fix-opensuse-warnings
copilot/fix-1268
copilot/fix-727
copilot/fix-898
copilot/fix-1256
copilot/fix-1251
copilot/fix-1249
copilot/fix-1206
user-attribute-form
user-ui
group-ui
server-user-attribute-schema
crates
haveibeenpwned
v0.6.2
v0.6.1
v0.6.0
v0.5.0
v0.4.3
v0.4.2
v0.4.1
v0.4.0
v0.3.0
v0.2.0
v0.0.1
Labels
Clear labels   
backend

   
blocked

   
bug

   
cleanup

   
dependencies

   
docker

   
documentation

   
duplicate

   
enhancement

   
enhancement

   
frontend

   
github_actions

   
good first issue

   
help wanted

   
help wanted

   
integration

   
invalid

   
ldap

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
rust

   
rust

   
tests

   
wontfix
No labels
backend
blocked
bug
cleanup
dependencies
docker
documentation
duplicate
enhancement
enhancement
frontend
github_actions
good first issue
help wanted
help wanted
integration
invalid
ldap
pull-request
question
rust
rust
tests
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/lldap-lldap#335
No description provided.