Connecting Docker container to corporate LDAP server through SSL
I need to connect a Docker container to a corporate LDAP server.
The container’s purpose is to authenticate users against the company’s LDAP server.
The container can query the server in “anonymous” mode flawlessly. The problem is when I try to authenticate. The server requires for the credentials to be transmitted confidentially. That is, through SSL/TLS.
What’s interesting is that, on my Ubuntu host machine, I am able to query the server and authenticate against it. So, this works on my host but not on the container
ldapsearch -x -D "uid=<ACCOUNT>,ou=People,o=hp.com" -W -H ldaps://<LDAP DOMAIN> -b "o=hp.com" -s sub 'uid=*'
The containers can query the server anonymously (without SSL). So this works in the container:
ldapsearch -d8 -x -H ldaps://<LDAP DOMAIN> -b "o=hp.com" -s sub 'uid=*'
As does this:
curl "ldap://<LDAP DOMAIN>/o=hp.com?cn?sub?(sn=rosado)"
Now, I know for sure this is a problem with SSL because inside the container…
1)I am able to connect to the LDAP server anonymously (because anonymous users don’t need to communicate confidentially. Therefore, they don’t need SSL).
2)I get the following report when running ldapsearch in debug mode:
ldapsearch -x -D "uid=<ACCOUNT>,ou=People,o=hp.com" -W -H ldaps://<LDAP DOMAIN> -b "o=hp.com" -s sub 'uid=*
TLS: can't connect: (unknown error code). ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Some of the things I’ve tried include:
-Mounting the certificate from my host to my container. Placing it up /usr/local/share/ca-certificates/ and doing
-Using the openssl client in the container to make sure the connection can be established
openssl s_client -connect <LDAP DOMAIN>:<PORT>. Here’s the output:
CONNECTED(00000003) depth=1 O = hp.com, OU = IT Infrastructure, C = US, O = Hewlett-Packard Company, CN = <CORP INFO> Class 2 Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain <CORP INFO> --- Server certificate -----BEGIN CERTIFICATE----- <CORP INFO> Start Time: 1426872988 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain)
One Solution collect form web for “Connecting Docker container to corporate LDAP server through SSL”
SSL/TLS connections usually fail for two reasons: protocol mismatch or trust issue.
Protocol mismatch can be diagnosed using network protocol analyzer such as Wireshark or by turning on debugging of the client (use
-d 65535 parameter to
Trust issues should be also visible in the debug output. But also check the
TLS_CACERTDIR parameter that points to file or directory with all the trusted CA’s. Make sure that the ones in the docker container are equivalent to the ones on the host machine.
While you’re at it check that the openldap version and the underlying SSL/TLS implementation versions (openldap could be using NSS, GnuTLS or OpenSSL) are the same in the docker container and on the host machine.