PhpLdapAdmin : connect to openldap with LDAPS and custom certificates
Closed this issue · 2 comments
Hi,
I'm trying to set up PhpLdapAdmin to connect to the openldap server through its ldaps port. I use custom certificates on openldap (certificates signed by my CA). Since it seems PLA cannot be configured to use ldaps port in values.yaml, I had to modify the following :
PhpLdapAdmin values.yaml :
---
env:
PHPLDAPADMIN_HTTPS: "false"
PHPLDAPADMIN_TRUST_PROXY_SSL: "true"
PHPLDAPADMIN_LDAP_CLIENT_TLS_CA_CRT_FILENAME: ca.crt
PHPLDAPADMIN_LDAP_CLIENT_TLS_CRT_FILENAME: tls.crt
PHPLDAPADMIN_LDAP_CLIENT_TLS_KEY_FILENAME: tls.key
PHPLDAPADMIN_LDAP_CLIENT_TLS_REQCERT: "never"
replicaCount: 1
image:
repository: osixia/phpldapadmin
tag: 0.9.0
pullPolicy: IfNotPresent
pullSecrets: []
initContainers:
- name: copy-ro-certs
image: busybox
command: ['sh', '-c', 'cp /tmp-certs/* /container/service/ldap-client/assets/certs/;']
volumeMounts:
- name: ldap-certs
mountPath: /tmp-certs
- name: pla-certs
mountPath: /container/service/ldap-client/assets/certs
volumeMounts:
- mountPath: /container/service/ldap-client/assets/certs
name: pla-certs
volumes:
- name: ldap-certs
secret:
secretName: openldap-tls-secrets
- name: pla-certs
emptyDir: {}
service:
type: ClusterIP
port: 80
annotations: {}
ingress:
enabled: false
annotations: {}
path: /
tls: []
readinessProbe:
httpGet:
path: /
port: http
livenessProbe:
httpGet:
path: /
port: http
resources: {}
nodeSelector: {}
tolerations: []
affinity: {}
The idea here is to copy the ca certificates to trust the ldaps certificate. openldap-tls-secrets is composed of ca.crt, tls.key and tls.crt.
configmap.yaml :
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "phpldapadmin.fullname" . }}
labels:
app: {{ template "phpldapadmin.name" . }}
chart: {{ template "phpldapadmin.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.extraLabels }}
{{ toYaml .Values.extraLabels | indent 4 }}
{{- end }}
data:
{{ toYaml .Values.env | indent 2 }}
PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{ '{{ template "global.server" . }}' : [{'server': [{'tls': True},{'port':{{ .Values.global.sslLdapPort }}}]},{'login': [{'bind_id': '{{ template "global.bindDN" . }}' }]}]}]"
Here I changed the port to use sslLdapPort.
On PLA, when trying to connect with the admin user, I get :
On the openldap pods, I get the error :
6697df2d.05320dbb 0x7fddc33326c0 conn=2167 fd=22 ACCEPT from IP=172.16.24.203:44910 (IP=0.0.0.0:1636)
6697df2d.05341d73 0x7fddc2b316c0 TLS: can't accept: error:0A00010B:SSL routines::wrong version number.
6697df2d.0535aec1 0x7fddc2b316c0 conn=2167 fd=22 closed (TLS negotiation failure)
The LDAPS port is working, I can ldapsearch locally from the pods as well as outside the cluster using the openldap service ( while trusting my custom certificates). Seems to me it is a trust issue. Am I missing something ?
Looks like an ssl version mismatch.
This is currently not supported , I ran across issues when I created the chart regarding ldaps and PLA .
Feel free to investigate and propose a PR 🙂
Ok Thank you !