starred/lldap-lldap
1
0
Fork 0
mirror of https://github.com/lldap/lldap.git synced 2026-04-25 08:15:52 +03:00
Code Issues 101 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #1051] [Documentation] LDAPS config #375

New issue
Closed
opened 2026-02-27 08:16:56 +03:00 by kerem · 9 comments
kerem commented 2026-02-27 08:16:56 +03:00
Owner
Copy link

Originally created by @MassiPi on GitHub (Nov 26, 2024).
Original GitHub issue: https://github.com/lldap/lldap/issues/1051

Hello,
i'm trying to user ldaps. The port to the docker image is open, the config file is updated, lldap seems happy

INFO check_ldaps [ 1.63ms | 100.00% ] port: 6360 2024-11-26T05:20:25.076476255+00:00 INFO

(sorry the config)

[ldaps_options]
## Whether to enable LDAPS.
enabled=true
## Port on which to listen.
port=6360
## Certificate file.
cert_file="/data/cert.pem"
## Certificate key file.
key_file="/data/key.pem"

but when i try to connect via ldapsearch i always get an error (plain ldap works with the very same command)

ldapsearch -x -b "dc=home,dc=..." -H ldaps://localhost:6360 -D "cn=lldap_read_user,ou=people,dc=home,dc=..." -W
Enter LDAP Password: 
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I created my certs with the suggested command

openssl req -x509 -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 36500 -nodes -subj "/CN=home..." -addext "subjectAltName = DNS:lldap.lan"

but i'm not sure i'm using this correctly.
i named my base DN with a proper domain, that however is not resolved to the dns of the server answering requests. Is this causing the issue? how should i create it?

and obviously this also happens from remote machines (i'm trying to setup nslcd on a unix host and i can't connect)
thanks

Originally created by @MassiPi on GitHub (Nov 26, 2024). Original GitHub issue: https://github.com/lldap/lldap/issues/1051 Hello, i'm trying to user ldaps. The port to the docker image is open, the config file is updated, lldap seems happy ``` INFO check_ldaps [ 1.63ms | 100.00% ] port: 6360 2024-11-26T05:20:25.076476255+00:00 INFO ``` (sorry the config) ``` [ldaps_options] ## Whether to enable LDAPS. enabled=true ## Port on which to listen. port=6360 ## Certificate file. cert_file="/data/cert.pem" ## Certificate key file. key_file="/data/key.pem" ``` but when i try to connect via ldapsearch i always get an error (plain ldap works with the very same command) ``` ldapsearch -x -b "dc=home,dc=..." -H ldaps://localhost:6360 -D "cn=lldap_read_user,ou=people,dc=home,dc=..." -W Enter LDAP Password: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) ``` I created my certs with the suggested command ``` openssl req -x509 -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 36500 -nodes -subj "/CN=home..." -addext "subjectAltName = DNS:lldap.lan" ``` but i'm not sure i'm using this correctly. i named my base DN with a proper domain, that however is not resolved to the dns of the server answering requests. Is this causing the issue? how should i create it? and obviously this also happens from remote machines (i'm trying to setup nslcd on a unix host and i can't connect) thanks
kerem closed this issue 2026-02-27 08:16:56 +03:00
kerem commented 2026-02-27 08:16:57 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Nov 26, 2024):

Hey,

Can you enable verbose mode (in the config) and post the logs of the connection attempt?
If you don't see any new logs when you run ldapsearch, it's because the query doesn't reach LLDAP (problem in the host name, docker config or port forwarding most likely)

<!-- gh-comment-id:2499985602 --> @nitnelave commented on GitHub (Nov 26, 2024): Hey, Can you enable verbose mode (in the config) and post the logs of the connection attempt? If you don't see any new logs when you run `ldapsearch`, it's because the query doesn't reach LLDAP (problem in the host name, docker config or port forwarding most likely)
kerem commented 2026-02-27 08:16:57 +03:00
Author
Owner
Copy link

@MassiPi commented on GitHub (Nov 26, 2024):

sure i will, i thought about a possible network problem (since the error given seems clear), but docker says it's ok :) i'll be recreating the container, no problem..
(stupid question incoming) where is lldap logging?

(can you please help me understanding the correct way to create and manage certificates? i create key and cert, then i need to put the cert also on clients accessing ldaps, right? should i use the specific local dns name of the lldap server?)

<!-- gh-comment-id:2499994413 --> @MassiPi commented on GitHub (Nov 26, 2024): sure i will, i thought about a possible network problem (since the error given seems clear), but docker says it's ok :) i'll be recreating the container, no problem.. (stupid question incoming) where is lldap logging? (can you please help me understanding the correct way to create and manage certificates? i create key and cert, then i need to put the cert also on clients accessing ldaps, right? should i use the specific local dns name of the lldap server?)
kerem commented 2026-02-27 08:16:57 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Nov 26, 2024):

LLDAP logs to the standard output. With docker, that's in docker logs lldap

For the certificate, it should be issued to the domain that you use to query the server, e.g. ldaps://my.domain.com:6360 should have a certificate for my.domain.com. I don't think the base DN matters.

With this (and assuming that the certificate is issued by a CA that the client recognizes, like letsencrypt) the client will automatically accept it.
If it's a self signed certificate, you usually have to tell the client not to check the certificate. You may also have some cases where you explicitly give the client the public certificate to match, but that's rare.

<!-- gh-comment-id:2500141859 --> @nitnelave commented on GitHub (Nov 26, 2024): LLDAP logs to the standard output. With docker, that's in ` docker logs lldap` For the certificate, it should be issued to the domain that you use to query the server, e.g. ldaps://my.domain.com:6360 should have a certificate for my.domain.com. I don't think the base DN matters. With this (and assuming that the certificate is issued by a CA that the client recognizes, like letsencrypt) the client will automatically accept it. If it's a self signed certificate, you usually have to tell the client not to check the certificate. You may also have some cases where you explicitly give the client the public certificate to match, but that's rare.
kerem commented 2026-02-27 08:16:57 +03:00
Author
Owner
Copy link

@MassiPi commented on GitHub (Nov 26, 2024):

seems something happens, but it breaks :)

Loading configuration from /data/lldap_config.toml
WARNING: A key_seed was given, we will ignore the key_file and generate one from the seed! Set key_file to an empty string in the config to silence this message.
WARNING: Unsecure default admin password is used.
2024-11-26T20:55:40.973392089+00:00  INFO     set_up_server [ 5.15ms | 100.00% ]
2024-11-26T20:55:40.973410304+00:00  INFO     ┝━ i [info]: Starting LLDAP version 0.6.2-alpha
2024-11-26T20:55:40.979980240+00:00  INFO     ┝━ i [info]: Starting the LDAP server on port 3890
2024-11-26T20:55:40.980372204+00:00  INFO     ┝━ i [info]: Starting the LDAPS server on port 6360
2024-11-26T20:55:40.980557+00:00     INFO     ┕━ i [info]: Starting the API/web server on port 17170
2024-11-26T20:55:40.980637107+00:00  INFO     i [info]: starting 1 workers
2024-11-26T20:55:40.980642235+00:00  INFO     i [info]: Actix runtime found; starting in Actix runtime
2024-11-26T20:55:40.980652252+00:00  INFO     i [info]: starting service: "ldap", workers: 1, listening on: 0.0.0.0:3890
2024-11-26T20:55:40.980656535+00:00  INFO     i [info]: starting service: "ldaps", workers: 1, listening on: 0.0.0.0:6360
2024-11-26T20:55:40.980659778+00:00  INFO     i [info]: starting service: "http", workers: 1, listening on: 0.0.0.0:17170
2024-11-26T20:55:40.981594855+00:00  INFO     i [info]: DB Cleanup Cron started
2024-11-26T20:56:11.000137208+00:00  INFO     i [info]: LDAP session start: c9343a73-dfb5-46e8-9cf0-6f7edac36e03
2024-11-26T20:56:11.000222264+00:00  INFO     LDAP request [ 89.6µs | 100.00% ] session_id: c9343a73-dfb5-46e8-9cf0-6f7edac36e03
2024-11-26T20:56:11.012044005+00:00  INFO     i [info]: LDAP session end: c9343a73-dfb5-46e8-9cf0-6f7edac36e03
2024-11-26T20:56:11.012875676+00:00  INFO     i [info]: LDAP session start: f7ebb573-1a1c-497e-85cc-6e495ceea2c8
2024-11-26T20:56:11.012919444+00:00  INFO     LDAP request [ 62.4µs | 100.00% ] session_id: f7ebb573-1a1c-497e-85cc-6e495ceea2c8
2024-11-26T20:56:11.053570258+00:00  INFO     i [info]: LDAP session end: f7ebb573-1a1c-497e-85cc-6e495ceea2c8
2024-11-26T20:56:27.032105034+00:00  INFO     i [info]: LDAP session start: 2d8b3ad1-9790-460f-bf5f-93c231540614
2024-11-26T20:56:27.032154723+00:00  INFO     LDAP request [ 3.93µs | 100.00% ] session_id: 2d8b3ad1-9790-460f-bf5f-93c231540614
2024-11-26T20:56:27.032298054+00:00  ERROR    🚨 [error]: [LDAPS] Service Error: while handling incoming messages: while receiving LDAP op: unexpected end of file
2024-11-26T20:56:41.097933994+00:00  INFO     i [info]: LDAP session start: 6f843c2e-5d9d-40aa-a4c5-29fb2cce3cc6
2024-11-26T20:56:41.097994015+00:00  INFO     LDAP request [ 72.0µs | 100.00% ] session_id: 6f843c2e-5d9d-40aa-a4c5-29fb2cce3cc6
2024-11-26T20:56:41.109852766+00:00  INFO     i [info]: LDAP session end: 6f843c2e-5d9d-40aa-a4c5-29fb2cce3cc6
2024-11-26T20:56:41.110678230+00:00  INFO     i [info]: LDAP session start: 333d32f0-219c-4de8-a417-b1d6adaa1ef4
2024-11-26T20:56:41.110718632+00:00  INFO     LDAP request [ 61.3µs | 100.00% ] session_id: 333d32f0-219c-4de8-a417-b1d6adaa1ef4
2024-11-26T20:56:41.151602722+00:00  INFO     i [info]: LDAP session end: 333d32f0-219c-4de8-a417-b1d6adaa1ef4

any hint? (is it correct it opens and closes so many sessions? i just tried a cli ldapsearch..)

<!-- gh-comment-id:2501928753 --> @MassiPi commented on GitHub (Nov 26, 2024): seems something happens, but it breaks :) ``` Loading configuration from /data/lldap_config.toml WARNING: A key_seed was given, we will ignore the key_file and generate one from the seed! Set key_file to an empty string in the config to silence this message. WARNING: Unsecure default admin password is used. 2024-11-26T20:55:40.973392089+00:00 INFO set_up_server [ 5.15ms | 100.00% ] 2024-11-26T20:55:40.973410304+00:00 INFO ┝━ i [info]: Starting LLDAP version 0.6.2-alpha 2024-11-26T20:55:40.979980240+00:00 INFO ┝━ i [info]: Starting the LDAP server on port 3890 2024-11-26T20:55:40.980372204+00:00 INFO ┝━ i [info]: Starting the LDAPS server on port 6360 2024-11-26T20:55:40.980557+00:00 INFO ┕━ i [info]: Starting the API/web server on port 17170 2024-11-26T20:55:40.980637107+00:00 INFO i [info]: starting 1 workers 2024-11-26T20:55:40.980642235+00:00 INFO i [info]: Actix runtime found; starting in Actix runtime 2024-11-26T20:55:40.980652252+00:00 INFO i [info]: starting service: "ldap", workers: 1, listening on: 0.0.0.0:3890 2024-11-26T20:55:40.980656535+00:00 INFO i [info]: starting service: "ldaps", workers: 1, listening on: 0.0.0.0:6360 2024-11-26T20:55:40.980659778+00:00 INFO i [info]: starting service: "http", workers: 1, listening on: 0.0.0.0:17170 2024-11-26T20:55:40.981594855+00:00 INFO i [info]: DB Cleanup Cron started 2024-11-26T20:56:11.000137208+00:00 INFO i [info]: LDAP session start: c9343a73-dfb5-46e8-9cf0-6f7edac36e03 2024-11-26T20:56:11.000222264+00:00 INFO LDAP request [ 89.6µs | 100.00% ] session_id: c9343a73-dfb5-46e8-9cf0-6f7edac36e03 2024-11-26T20:56:11.012044005+00:00 INFO i [info]: LDAP session end: c9343a73-dfb5-46e8-9cf0-6f7edac36e03 2024-11-26T20:56:11.012875676+00:00 INFO i [info]: LDAP session start: f7ebb573-1a1c-497e-85cc-6e495ceea2c8 2024-11-26T20:56:11.012919444+00:00 INFO LDAP request [ 62.4µs | 100.00% ] session_id: f7ebb573-1a1c-497e-85cc-6e495ceea2c8 2024-11-26T20:56:11.053570258+00:00 INFO i [info]: LDAP session end: f7ebb573-1a1c-497e-85cc-6e495ceea2c8 2024-11-26T20:56:27.032105034+00:00 INFO i [info]: LDAP session start: 2d8b3ad1-9790-460f-bf5f-93c231540614 2024-11-26T20:56:27.032154723+00:00 INFO LDAP request [ 3.93µs | 100.00% ] session_id: 2d8b3ad1-9790-460f-bf5f-93c231540614 2024-11-26T20:56:27.032298054+00:00 ERROR 🚨 [error]: [LDAPS] Service Error: while handling incoming messages: while receiving LDAP op: unexpected end of file 2024-11-26T20:56:41.097933994+00:00 INFO i [info]: LDAP session start: 6f843c2e-5d9d-40aa-a4c5-29fb2cce3cc6 2024-11-26T20:56:41.097994015+00:00 INFO LDAP request [ 72.0µs | 100.00% ] session_id: 6f843c2e-5d9d-40aa-a4c5-29fb2cce3cc6 2024-11-26T20:56:41.109852766+00:00 INFO i [info]: LDAP session end: 6f843c2e-5d9d-40aa-a4c5-29fb2cce3cc6 2024-11-26T20:56:41.110678230+00:00 INFO i [info]: LDAP session start: 333d32f0-219c-4de8-a417-b1d6adaa1ef4 2024-11-26T20:56:41.110718632+00:00 INFO LDAP request [ 61.3µs | 100.00% ] session_id: 333d32f0-219c-4de8-a417-b1d6adaa1ef4 2024-11-26T20:56:41.151602722+00:00 INFO i [info]: LDAP session end: 333d32f0-219c-4de8-a417-b1d6adaa1ef4 ``` any hint? (is it correct it opens and closes so many sessions? i just tried a cli ldapsearch..)
kerem commented 2026-02-27 08:16:57 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Nov 26, 2024):

I'm pretty sure this is a case of an LDAP message sent to the LDAPS port. I'm not sure how/why, but try looking in this direction. Maybe you're missing a flag in ldapsearch?

<!-- gh-comment-id:2501944972 --> @nitnelave commented on GitHub (Nov 26, 2024): I'm pretty sure this is a case of an LDAP message sent to the LDAPS port. I'm not sure how/why, but try looking in this direction. Maybe you're missing a flag in ldapsearch?
kerem commented 2026-02-27 08:16:57 +03:00
Author
Owner
Copy link

@MassiPi commented on GitHub (Nov 26, 2024):

oh god, this is a random find in the web

Wanted to say thanks. Also wanted to point out another situation where ldapsearch will return the generic “Can’t contact LDAP server (-1)” error: if the certificate of your LDAP/AD server isn’t trusted. You can test this with:

openssl s_client -connect :636

Near the bottom you should see:

Verify return code: 0 (ok)

If not then, even assuming you’ve done everything else right above, you will still get the -1 error. Thought I would add this in case it helps others.

i really lost a lot of time lol
so now i need to understand why i can't get nslcd to work (not even logged in lldap so i assume i'm making something very wrong on client side)

<!-- gh-comment-id:2501990571 --> @MassiPi commented on GitHub (Nov 26, 2024): oh god, this is a random find in the web > Wanted to say thanks. Also wanted to point out another situation where ldapsearch will return the generic “Can’t contact LDAP server (-1)” error: if the certificate of your LDAP/AD server isn’t trusted. You can test this with: > openssl s_client -connect :636 > Near the bottom you should see: > Verify return code: 0 (ok) > If not then, even assuming you’ve done everything else right above, you will still get the -1 error. Thought I would add this in case it helps others. i really lost a lot of time lol so now i need to understand why i can't get nslcd to work (not even logged in lldap so i assume i'm making something very wrong on client side)
kerem commented 2026-02-27 08:16:57 +03:00
Author
Owner
Copy link

@stephrobert commented on GitHub (Jan 27, 2025):

I have the same error. I generated certificat with mkcert.

ldapsearch -H ldaps://master2:6360 -D "uid=admin,ou=people,dc=robert,dc=local" -w "changeme" -b "dc=robert,dc=local" "(objectClass=*)" -x

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

In the log

2025-01-27T14:32:30.653866+00:00 master2 lldap[999789]: 2025-01-27T14:32:30.653717783+00:00 ERROR 🚨 [error]: [LDAPS] Service Error: while handling incoming messages: while receiving LDAP op: unexpected end of file

The command openssl s_client -connect :6360

subject=O = mkcert development certificate, OU = bob@master2
issuer=O = mkcert development CA, OU = bob@master2, CN = mkcert bob@master2

No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits

SSL handshake has read 1627 bytes and written 391 bytes
Verification: OK

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

<!-- gh-comment-id:2615945921 --> @stephrobert commented on GitHub (Jan 27, 2025): I have the same error. I generated certificat with mkcert. ldapsearch -H ldaps://master2:6360 -D "uid=admin,ou=people,dc=robert,dc=local" -w "changeme" -b "dc=robert,dc=local" "(objectClass=*)" -x ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) In the log 2025-01-27T14:32:30.653866+00:00 master2 lldap[999789]: 2025-01-27T14:32:30.653717783+00:00 ERROR 🚨 [error]: [LDAPS] Service Error: while handling incoming messages: while receiving LDAP op: unexpected end of file The command openssl s_client -connect :6360 subject=O = mkcert development certificate, OU = bob@master2 issuer=O = mkcert development CA, OU = bob@master2, CN = mkcert bob@master2 --- No client certificate CA names sent Peer signing digest: SHA512 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 1627 bytes and written 391 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) ---
kerem commented 2026-02-27 08:16:57 +03:00
Author
Owner
Copy link

@kapsh commented on GitHub (Jan 28, 2025):

Solution:
LDAPTLS_REQCERT=allow ldapsearch ... will ignore self-signed or incorrect certificates and LDAPTLS_REQCERT=never will not even look at them.

Errors are misleading in this case. LLDAP logs "unexpected end of file" because ldapsearch breaks connection after handshake, and latter needs at least -d1 arg to show real reason. Example output with debug:

TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS: can't connect: error:0A000086:SSL routines::certificate verify failed (unable to get local issuer certificate).
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)  # only this line on default log level
<!-- gh-comment-id:2619693379 --> @kapsh commented on GitHub (Jan 28, 2025): Solution: `LDAPTLS_REQCERT=allow ldapsearch ...` will ignore self-signed or incorrect certificates and `LDAPTLS_REQCERT=never` will not even look at them. Errors are misleading in this case. LLDAP logs "unexpected end of file" because ldapsearch breaks connection after handshake, and latter needs at least `-d1` arg to show real reason. Example output with debug: ``` TLS certificate verification: Error, unable to get local issuer certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in error TLS: can't connect: error:0A000086:SSL routines::certificate verify failed (unable to get local issuer certificate). ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) # only this line on default log level ```
kerem commented 2026-02-27 08:16:57 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Jan 28, 2025):

It's a bit hard to improve the error message in this case, "unexpected end of file" is all I get from the underlying library.

I can test if the error is this, and add some tentative solutions, but in this case it's the client (ldapsearch) breaking the connection. I don't think there's anything that we should change on the LLDAP side. If anything, that should be a bug report to ldapsearch to improve their error messages.

<!-- gh-comment-id:2619746852 --> @nitnelave commented on GitHub (Jan 28, 2025): It's a bit hard to improve the error message in this case, "unexpected end of file" is all I get from the underlying library. I can test if the error is this, and add some tentative solutions, but in this case it's the client (ldapsearch) breaking the connection. I don't think there's anything that we should change on the LLDAP side. If anything, that should be a bug report to ldapsearch to improve their error messages.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dependabot/github_actions/codecov/codecov-action-6
copilot/fix-equality-filters-list-attributes
dependabot/github_actions/docker/build-push-action-7
dependabot/github_actions/docker/metadata-action-6
dependabot/github_actions/docker/setup-buildx-action-4
dependabot/github_actions/docker/login-action-4
copilot/update-download-artifact-action
copilot/fix-opensuse-warnings
copilot/fix-1268
copilot/fix-727
copilot/fix-898
copilot/fix-1256
copilot/fix-1251
copilot/fix-1249
copilot/fix-1206
user-attribute-form
user-ui
group-ui
server-user-attribute-schema
crates
haveibeenpwned
v0.6.2
v0.6.1
v0.6.0
v0.5.0
v0.4.3
v0.4.2
v0.4.1
v0.4.0
v0.3.0
v0.2.0
v0.0.1
Labels
Clear labels   
backend

   
blocked

   
bug

   
cleanup

   
dependencies

   
docker

   
documentation

   
duplicate

   
enhancement

   
enhancement

   
frontend

   
github_actions

   
good first issue

   
help wanted

   
help wanted

   
integration

   
invalid

   
ldap

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
rust

   
rust

   
tests

   
wontfix
No labels
backend
blocked
bug
cleanup
dependencies
docker
documentation
duplicate
enhancement
enhancement
frontend
github_actions
good first issue
help wanted
help wanted
integration
invalid
ldap
pull-request
question
rust
rust
tests
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/lldap-lldap#375
No description provided.