Probably this issue is not directly connected to the container, but have to mention that running containter with default settings (no parameters) successfully exposes ports 389 and 636 and ldapsearch is executed correctly.
Using Apache Directory Studio to browse server correctly works over plain connection, but doing the same for ldaps:// issues an error:
The authentication failed Error while sending some message : the session has been closed
org.apache.directory.ldap.client.api.exception.InvalidConnectionException: Error while sending some message : the session has been closed
at org.apache.directory.ldap.client.api.LdapNetworkConnection.writeRequest(LdapNetworkConnection.java:4279)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1389)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1292)
Certificate was added to trusted list during authentication phase.
Not a openLDAP issue, i am doing exactly that, TLS and SSL, working just fine. You rather have certificate issues, ApacheStudio is Java App .. own keystore, own cert store..
I will try to firgure it out. It is important for me because I am going to use openLDAP with JAVA application and if Apache Directory Studio is not able to connect than it is highly possible to have the same problem with application.
ADS asked for adding container auto-generated certificate to truststore when I make connection for the first time. I can also see it at local trustrore list. Connection test from ADS also works. Only authentication fails..
@vadimkim it can also be an issue on how you applied the certificates to openldap - e.g. java requires you to include the root certificate, e.g. like in zimbra, as e.g. web-servers do not allow that.
I cannot recall how openldap treats it, by the RFC would be chain without root, be sure to notice that and also be sure to include a chain cert if you need one.
I got a bit better picture after running wireshark and capturing connection flow
It seems OpenLDAP server require trusted client certificate, because logs were full with these messages:
TLS: can't accept: No certificate was found..
5aab94e9 conn=1014 fd=12 closed (TLS negotiation failure)
I have solved the problem by adding environment parameter --env LDAP_TLS_VERIFY_CLIENT=try to docker container that were mentioned also there: https://github.com/osixia/docker-openldap/issues/105
docker run -d --net=host --env LDAP_TLS_VERIFY_CLIENT=try osixia/openldap:1.2.0
Thank you @vadimkim !!! worked for me too!!!!
I was getting
ERR_04122_SSL_CONTEXT_INIT_FAILURE Failed to initialize the SSL context
adding --env LDAP_TLS_VERIFY_CLIENT=try fixed the issue
Most helpful comment
It seems OpenLDAP server require trusted client certificate, because logs were full with these messages:
TLS: can't accept: No certificate was found.. 5aab94e9 conn=1014 fd=12 closed (TLS negotiation failure)I have solved the problem by adding environment parameter --env LDAP_TLS_VERIFY_CLIENT=try to docker container that were mentioned also there: https://github.com/osixia/docker-openldap/issues/105
docker run -d --net=host --env LDAP_TLS_VERIFY_CLIENT=try osixia/openldap:1.2.0