Comments (4)
Since I managed to get bitnami/openldap
working and no response to this report, I'm going to stick with that for the time being: docker-mailserver/docker-mailserver#3494
I'll leave this issue open, as the bitnami/openldap
image doesn't need the ACL migration, so that might be an unintended bug on your end, or should document the difference a bit more clearly as to why it was adjusted?
Off-topic: I recently noticed while looking through LDAP issues that you've previously engaged with docker-mailserver
in the past, That was a nice surprise to recognize I had seen your name earlier when I landed here looking for an LDAP image replacement! 😁
from docker-openldap.
Resolved
I have identified a missing config was required for granting ACL to anonymous
bind for auth (references: slapd docs for olcAccess
, OpenLDAP docs access 8.2.2
+ 8.4
).
In the osixia/openldap
image, this was configured via .ldif
here (v1.1.6
), while the current master of that image adds one more ACL rule that is similar to this projects (bitspur/rock8s/docker-openldap
) image ACL (and the upstream bitnami image ACL)
This auth.ldif
should carry that over by appending this rule? I've mounted it into /migrations
. I'm not sure if the admin access is necessary, but could be templated as .tmpl
instead of hard-coding the LDAP_ROOT
.
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to attrs=userPassword
by self write
by dn="cn=admin,dc=example,dc=test" write
by anonymous auth
by * none
NOTE: My user account .ldif
files also did not need the changetype: add
. I didn't create the original files or setup the original openldap docker image. Those now reside in /ldifs
.
--env LDAP_HASH_PASSWORD='NONE'
has no relevance to the userPassword
value (at least for the .ldif
account files I mount). The README description isn't quite clear to me where that applies. Perhaps it's the fallback if no scheme prefix exists in the stored value?
Verified
Verified with ldapwhoami
:
$ ldapwhoami -v -x -H ldap://ldap.example.test -D 'uid=john.doe,ou=people,dc=example,dc=test' -w secret
ldap_initialize( ldap://ldap.example.test:389/??base )
dn:uid=john.doe,ou=people,dc=example,dc=test
Result: Success (0)
# Relevant container log output:
64ddb03c conn=1007 fd=12 ACCEPT from IP=172.17.0.2:42292 (IP=0.0.0.0:389)
64ddb03c conn=1007 op=0 BIND dn="uid=john.doe,ou=people,dc=example,dc=test" method=128
64ddb03c conn=1007 op=0 BIND dn="uid=john.doe,ou=people,dc=example,dc=test" mech=SIMPLE ssf=0
64ddb03c conn=1007 op=0 RESULT tag=97 err=0 text=
64ddb03c conn=1007 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.3
64ddb03c conn=1007 op=1 WHOAMI
64ddb03c conn=1007 op=1 RESULT oid= err=0 text=
64ddb03c conn=1007 op=2 UNBIND
64ddb03c conn=1007 fd=12 closed
Verified with saslauthd setup described in previous comment:
$ testsaslauthd -u john.doe -p secret
0: OK "Success."
# Relevant container log output:
64ddb13a conn=1008 fd=12 ACCEPT from IP=172.17.0.2:41852 (IP=0.0.0.0:389)
64ddb13a conn=1008 op=0 BIND dn="cn=admin,dc=example,dc=test" method=128
64ddb13a conn=1008 op=0 BIND dn="cn=admin,dc=example,dc=test" mech=SIMPLE ssf=0
64ddb13a conn=1008 op=0 RESULT tag=97 err=0 text=
64ddb13a conn=1008 op=1 SRCH base="ou=people,dc=example,dc=test" scope=2 deref=0 filter="(&(uid=john.doe)(mailEnabled=TRUE))"
64ddb13a conn=1008 op=1 SRCH attr=dn
64ddb13a <= mdb_equality_candidates: (uid) not indexed
64ddb13a <= mdb_equality_candidates: (mailEnabled) not indexed
64ddb13a conn=1008 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
64ddb13a conn=1008 op=2 BIND anonymous mech=implicit ssf=0
64ddb13a conn=1008 op=2 BIND dn="uid=john.doe,ou=people,dc=example,dc=test" method=128
64ddb13a conn=1008 op=2 BIND dn="uid=john.doe,ou=people,dc=example,dc=test" mech=SIMPLE ssf=0
64ddb13a conn=1008 op=2 RESULT tag=97 err=0 text=
Here the testsaslauthd
command sends the credentials to the saslauthd
daemon, which connects to LDAP service with admin credentials (simple mechanism) and queries a user (dn
attribute) with the search base and filter from saslauthd.conf
settings. Afterwards it performs an anonymous bind (implicit mechanism?) presumably to retrieve the hashed userPassword
value (granted by anonymous auth
acl), performing auth for the actual user via bind dn (simple mechanism again, like ldapwhoami -x
) which is successful.
If the anonymous auth
acl is dropped, the ldapwhoami
/ ldapsearch
commands likewise fail with "Invalid credentials (49)". Despite the container logs not mentioning any anonymous bind (Bind DN logged with mech=SIMPLE
):
# Failure example when `anonymous auth` acl is not configured:
$ ldapwhoami -v -x -H ldap://ldap.example.test -D 'uid=john.doe,ou=people,dc=example,dc=test' -w secret
ldap_initialize( ldap://ldap.example.test:389/??base )
ldap_bind: Invalid credentials (49)
# Relevant container log output:
64ddb636 conn=1007 fd=12 ACCEPT from IP=172.17.0.2:59398 (IP=0.0.0.0:389)
64ddb636 conn=1007 op=0 BIND dn="uid=john.doe,ou=people,dc=example,dc=test" method=128
64ddb636 conn=1007 op=0 RESULT tag=97 err=49 text=
64ddb636 conn=1007 op=1 UNBIND
64ddb636 conn=1007 fd=12 closed
So the error message of "invalid credentials" was a bit misleading. It seems it was more of a problem retrieving userPassword
due to lack of permissions?
from docker-openldap.
@polarathene I actually made this image specifically for my use of docker-mailserver. I used to use osixia/docker-openldap as well.
I have a helm chart for this as well.
https://github.com/clayrisser/charts/tree/main/beta/openldap
from docker-openldap.
FWIW, the goal is to integrate with the seperate docker-mailserver
container using saslauthd
to connect to the OpenLDAP container in our tests. I believe once this auth issue is resolved within the docker-openldap
container it will work smoothly.
In the meantime, once the above ldapwhoami
/ ldapsearch
commands work, the same running container can install, configure and test saslauthd with the following:
apt-get update && apt-get install sasl2-bin libsasl2-modules libsasl2-modules-ldap nano
nano /etc/saslauthd.conf
saslauthd.conf
:
ldap_servers: ldap://ldap.example.test
ldap_auth_method: bind
ldap_bind_dn: cn=admin,dc=example,dc=test
ldap_bind_pw: adminpassword
ldap_search_base: ou=people,dc=example,dc=test
ldap_filter: (&(userid=%u)(mailEnabled=TRUE))
ldap_start_tls: no
ldap_tls_check_peer: no
ldap_referrals: yes
log_level: 10
# Run the saslauthd daemon with the config and LDAP plugin to auth against ldap:
saslauthd -d -a ldap -O /etc/saslauthd.conf
# In a separate terminal shell, verify everything is working:
testsaslauthd -u john.doe -p secret
from docker-openldap.
Related Issues (8)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker-openldap.