Cant get LDAPS working

Hello again.
I’ve been trying to configure LDAPS for a few hours now, but I haven’t been able to do it yet.
I have also followed the following tutorial:
“Passbolt Help | Configure LDAP plugin with SSL (ldaps)”
Meanwhile LDAP and LDAPS via TLS works but only from the terminal of the Passbolt server, but it can not be configured via the GUI of the admin.

Passbolt Pro 3.5.0

root@passbolt:/etc/ssl/certs# ldapsearch -x -D "xxx" -W -H ldaps://xxx -b "xxx" -d 9
ldap_url_parse_ext(ldaps://xxx)
ldap_create
ldap_url_parse_ext(ldaps://xxx:636/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP xxx:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying xxx:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 94 bytes to sd 3
ldap_result ld 0x5607b6292160 msgid 1
wait4msg ld 0x5607b6292160 msgid 1 (infinite timeout)
wait4msg continue ld 0x5607b6292160 msgid 1 all 1
** ld 0x5607b6292160 Connections:
* host: dc-01.bergfreunde.local  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Fri Feb 18 12:05:32 2022

What is interesting, when I specify an obviously wrong address as ldaps server I get the following error message, and here in the path it only says “ldap://” and yes ldaps://(tls) is selected

image1015×561 37.6 KB

Log:

2022-02-18 07:20:31 Error: [Cake\Http\Exception\BadRequestException] The settings provided are incorrect. Failed to start TLS: Can't contact LDAP server in /usr/share/php/passbolt/plugins/Passbolt/DirectorySync/src/Controller/DirectoryS>Request URL: /directorysync/settings/test.json?api-version=v2
Referer URL: https://xxx/app/administration/users-directory
Client IP: xxxxx

Hi @avax

Are you using a self-signed certificate ? If the answer is yes, you should have set its path in /etc/ldap/ldap.conf under TLS_CACERT as explained in our documentation.

Can you check the rights and ownership of your certificate ? It should be at least readable by the “other”, not only “owner” and “groups” and the command below should return at least 644:

stat -c %a /etc/ssl/certs/cert.pem
644

I noticed you are running the ldapsearch command as root but this command should be evaluated as the web server user, aka www-data for debian/ubuntu and nginx for RHEL/CentOS Linux distros.

This web server user should have sufficient rights to read your certificate

sudo su -s /bin/bash -c "cat /etc/ssl/certs/cert.pem" www-data
sudo su -s /bin/bash -c "ldapsearch -x -D "xxx" -W -H ldaps://xxx -b "xxx" -d 9" www-data

Let me know if it helps.

Best regards,

Hey there @AnatomicJC ,

thanks for your reply, I followed the tutorial for the certificate again and then set the permissions you suspected and now everything is working!
Thanks really much for the answer!

Best regards,

Hi @avax,

Thank you for the feedback. I’m glad to read you are now able to connect to your LDAP server with SSL.

We updated this morning the README file of our ldaps_cert_util repository, to ensure users take care of certificate ownership and rights.

Best regards,

Hi @AnatomicJC,
thanks for that, that will possibly eliminate a few confusions in the future.
Can you tell me maybe where I can change the text of the invitation email?
We want to link a how-to article and in another thread I could only find out where I could do that with Docker.

Thanks in advance!

Edit: Found it, nevermind

/usr/share/php/passbolt/templates/email