Starting container fails with ldap.initialize(f"{config['LDAP_URI']}")

[Clevero]

Hello :)

I'm currently trying to install your LDAP integration and followed the install instructions.

After starting the container, the log states that ldap.initialize(f"{config['LDAP_URI']}") is throwing an error:

Aug 17 14:00:49 localhost f12f15c8c8bd[563]: 17.08.20 12:00:49 Config file conf/dovecot/ldap/passdb.conf unchanged
Aug 17 14:00:49 localhost f12f15c8c8bd[563]: 17.08.20 12:00:49 Config file conf/dovecot/extra.conf unchanged
Aug 17 14:00:49 localhost f12f15c8c8bd[563]: 17.08.20 12:00:49 Config file conf/sogo/plist_ldap unchanged
Aug 17 14:00:49 localhost f12f15c8c8bd[563]: Traceback (most recent call last):
Aug 17 14:00:49 localhost f12f15c8c8bd[563]:   File "syncer.py", line 181, in <module>
Aug 17 14:00:49 localhost f12f15c8c8bd[563]:     main()
Aug 17 14:00:49 localhost f12f15c8c8bd[563]:   File "syncer.py", line 31, in main
Aug 17 14:00:49 localhost f12f15c8c8bd[563]:     sync()
Aug 17 14:00:49 localhost f12f15c8c8bd[563]:   File "syncer.py", line 37, in sync
Aug 17 14:00:49 localhost f12f15c8c8bd[563]:     ldap_connector = ldap.initialize(f"{config['LDAP_URI']}")
Aug 17 14:00:49 localhost f12f15c8c8bd[563]:   File "/usr/local/lib/python3.8/site-packages/ldap/functions.py", line 94, in initialize
Aug 17 14:00:49 localhost f12f15c8c8bd[563]:     return LDAPObject(
Aug 17 14:00:49 localhost f12f15c8c8bd[563]:   File "/usr/local/lib/python3.8/site-packages/ldap/ldapobject.py", line 115, in __init__
Aug 17 14:00:49 localhost f12f15c8c8bd[563]:     self._l = ldap.functions._ldap_function_call(ldap._ldap_module_lock,_ldap.initialize,uri)
Aug 17 14:00:49 localhost f12f15c8c8bd[563]:   File "/usr/local/lib/python3.8/site-packages/ldap/functions.py", line 55, in _ldap_function_call
Aug 17 14:00:49 localhost f12f15c8c8bd[563]:     result = func(*args,**kwargs)
Aug 17 14:00:49 localhost f12f15c8c8bd[563]: ldap.LDAPError: (0, 'Error')

My addition to docker-compose.override.yml:

  ldap-mailcow:
    image: programmierus/ldap-mailcow
    network_mode: host
    container_name: mailcowcustomized_ldap-mailcow
    depends_on:
        - nginx-mailcow
    volumes:
        - ./data/ldap:/db:rw
        - ./data/conf/dovecot:/conf/dovecot:rw
        - ./data/conf/sogo:/conf/sogo:rw
    environment:
        - LDAP-MAILCOW_LDAP_URI="ldaps://1.2.3.4"
        - LDAP-MAILCOW_LDAP_BASE_DN=OU=Firma,DC=OURCOMPANY,DC=LOCAL
        - LDAP-MAILCOW_LDAP_BIND_DN=CN=ldap,DC=OURCOMPANY,DC=LOCAL
        - LDAP-MAILCOW_LDAP_BIND_DN_PASSWORD=ChangeMe
        - LDAP-MAILCOW_API_HOST=https://5.6.7.8
        - LDAP-MAILCOW_API_KEY=My-Wonderful-API-Key-Hello
        - SYNC_INTERVAL=300

Steps I tried before opening the issue:

I checked the credentials and some other settings with ldapsearch and could successfully connect to the LDAP server:

root@mailcow-srv:/opt/mailcow-dockerized# ldapsearch -x -LLL -h 1.2.3.4 -D [email protected] -W -b OU=Firma,DC=OURCOMPANY,DC=LOCAL dn
Enter LDAP Password:
dn: OU=Firma,DC=OURCOMPANY,DC=local

dn: CN=............,OU=Firma,DC=OURCOMPANY,DC=local

dn: CN=............,OU=Firma,DC=OURCOMPANY,DC=local

dn: CN=............,OU=Firma,DC=OURCOMPANY,DC=local

etc.

I also checked the connectivity to the LDAP server inside a debian based test container with network=host:

root@mailcow-srv:/opt/mailcow-dockerized# docker run --network=host -it debian /bin/bash
root@mailcow-srv:/# apt update && apt install netcat
.....
root@mailcow-srv:/# nc -vz 1.2.3.4 636
dc1.OURCOMPANY..local [1.2.3.4] 636 (?) open
root@mailcow-srv:/# nc -vz 1.2.3.4 389
dc1.OURCOMPANY..local [1.2.3.4] 389 (?) open
root@mailcow-srv:/#

After that, I tried to reproduce this behaviour in extra container with python3 and python-ldap installed. The wasn't thrown.

root@ldaptest:~# cat test.py 
import sys, os, string, time, datetime
import ldap


ldap_connector = ldap.initialize(f"ldaps://1.2.3.4")
root@ldaptest:~# python3 test.py 
root@ldaptest:~#

I hope you have some spare time to look through my issue with setting up the integration but totally understand that your support is limited.

[Programmierus]

Seems to be setup-specific for me.

Have you tried to disable SSL?

[Clevero]

Thank you for your response!

I set the URI to

- LDAP-MAILCOW_LDAP_URI="ldap://1.2.3.4"

But the error persists:

Aug 17 14:50:09 localhost f12f15c8c8bd[563]: 17.08.20 12:50:09 Config file conf/dovecot/ldap/passdb.conf unchanged
Aug 17 14:50:09 localhost f12f15c8c8bd[563]: 17.08.20 12:50:09 Config file conf/dovecot/extra.conf unchanged
Aug 17 14:50:09 localhost f12f15c8c8bd[563]: 17.08.20 12:50:09 Config file conf/sogo/plist_ldap unchanged
Aug 17 14:50:09 localhost f12f15c8c8bd[563]: Traceback (most recent call last):
Aug 17 14:50:09 localhost f12f15c8c8bd[563]:   File "syncer.py", line 181, in <module>
Aug 17 14:50:09 localhost f12f15c8c8bd[563]:     main()
Aug 17 14:50:09 localhost f12f15c8c8bd[563]:   File "syncer.py", line 31, in main
Aug 17 14:50:09 localhost f12f15c8c8bd[563]:     sync()
Aug 17 14:50:09 localhost f12f15c8c8bd[563]:   File "syncer.py", line 37, in sync
Aug 17 14:50:09 localhost f12f15c8c8bd[563]:     ldap_connector = ldap.initialize(f"{config['LDAP_URI']}")
Aug 17 14:50:09 localhost f12f15c8c8bd[563]:   File "/usr/local/lib/python3.8/site-packages/ldap/functions.py", line 94, in initialize
Aug 17 14:50:09 localhost f12f15c8c8bd[563]:     return LDAPObject(
Aug 17 14:50:09 localhost f12f15c8c8bd[563]:   File "/usr/local/lib/python3.8/site-packages/ldap/ldapobject.py", line 115, in __init__
Aug 17 14:50:09 localhost f12f15c8c8bd[563]:     self._l = ldap.functions._ldap_function_call(ldap._ldap_module_lock,_ldap.initialize,uri)
Aug 17 14:50:09 localhost f12f15c8c8bd[563]:   File "/usr/local/lib/python3.8/site-packages/ldap/functions.py", line 55, in _ldap_function_call
Aug 17 14:50:09 localhost f12f15c8c8bd[563]:     result = func(*args,**kwargs)
Aug 17 14:50:09 localhost f12f15c8c8bd[563]: ldap.LDAPError: (0, 'Error')

Also tried to remove the protocol entirely, but also the same error.

[Programmierus]

So well, as I mentioned before it seems for me to be indeed setup-specific.

What I can suggest is to try launching the container with an overridden entrypoint and than looking if you are able to use ldapsearch from inside. This assures you have the same network conditions.

Besides that I can hardly imagine I can investigate this without remote access.

Ah, one more thing I've forgotten... The problem might be also the Bind DN you use (i.e. the difference between CN=ldap,DC=OURCOMPANY,DC=LOCAL and [email protected]). Try to go a bit further with your test.py example, e.g.:

import sys, os, string, time, datetime
import ldap

ldap_connector = ldap.initialize(f"ldaps://1.2.3.4")
ldap_connector.set_option(ldap.OPT_REFERRALS, 0)
ldap_connector.simple_bind_s('CN=ldap,DC=OURCOMPANY,DC=LOCAL', 'ChangeMe')

[Clevero]

Thank you for your time and input.

Don't thought about changing the entrypoint and debugging in there. But that's a good idea.
Will report back!

[MrHappy]

Have you tried using the fqdn instead of the ipaddress? (I assume 1.2.3.4 is the ipaddress of the dc)

[Clevero]

@MrHappy With @Programmierus hint I could deep down a little bit further and saw that the connection was failing due to a self signed cert. Currently I'm preparing a PR for config settings via the docker compose environment variables

The connection with the IP worked just fine after allowing self signed certs

[theoneandonly-vector]

@Clevero
hey there
how can I allow self signed certs? / trust a specific self-signed cert?

[gomiunik]

One thing if you're using AD that you can try is by having the LDAP_URI start with capital letters

LDAP-MAILCOW_LDAP_URI=LDAP://1.2.3.4