I've followed this guide to setup an OpenLDAP server in a container. When I run the container with TLS/SSL set to false, as follows:
sudo docker run \
--name openldap-server \
--rm \
--publish 389:389 \
--hostname my.ldap.server.org \
--env LDAP_ORGANISATION="My LDAP organization" \
--env LDAP_DOMAIN="my.ldap.server.org" \
--env LDAP_BASE_DN="dc=my,dc=ldap,dc=server,dc=org" \
--env LDAP_ADMIN_PASSWORD="test" \
--volume /data/slapd/database:/var/lib/ldap \
--volume /data/slapd/config:/etc/ldap/slapd.d \
--env LDAP_TLS=false \
--detach osixia/openldap:latest
Then, in my C# 7.0 code, I'm able to connect just fine as my test user, as follows:
var ldapConnection = new LdapConnection(new LdapDirectoryIdentifier(serverIp, 389))
{
AuthType = AuthType.Basic
};
ldapConnection.SessionOptions.ProtocolVersion = 3;
string username = "uid=test,ou=person,dc=my,dc=ldap,dc=server,dc=org", password = "test";
ldapConnection.Bind(new NetworkCredential(username, password));
But when I restart the OpenLDAP container with TLS/SSL enabled, as such:
sudo docker run \
--name openldap-server \
--rm \
--publish 636:636 \
--hostname my.ldap.server.org \
--env LDAP_ORGANISATION="My LDAP organization" \
--env LDAP_DOMAIN="my.ldap.server.org" \
--env LDAP_BASE_DN="dc=my,dc=ldap,dc=server,dc=org" \
--env LDAP_ADMIN_PASSWORD="test" \
--volume /data/slapd/database:/var/lib/ldap \
--volume /data/slapd/config:/etc/ldap/slapd.d \
--volume /data/certificates:/container/service/slapd/assets/certs \
--env LDAP_TLS_CRT_FILENAME=server.crt \
--env LDAP_TLS_KEY_FILENAME=server.key \
--env LDAP_TLS_CA_CRT_FILENAME=ca.crt \
--detach osixia/openldap:latest
Then I don't know how to add all the required certificates to the LdapConnection in the C# code. I've gotten this far:
var ldapConnection = new LdapConnection(new LdapDirectoryIdentifier(serverIp, 636))
{
AuthType = AuthType.Basic
// AuthType = AuthType.Negotiate
};
ldapConnection.SessionOptions.SecureSocketLayer = true;
// var serverCrt = File.ReadAllText("<my certificate directory>/server.crt");
// var serverKey = File.ReadAllText($"<my certificate directory>/server.key");
// var serverCertificate = X509Certificate2.CreateFromPem(serverCrt, serverKey);
// var serverCertificate = X509Certificate.CreateFromCertFile("<my certificate directory>/server.crt");
// var caCertificate = new X509Certificate("<my certificate directory>/ca.crt");
// connection.SessionOptions.VerifyServerCertificate = new VerifyServerCertificateCallback((connection, serverCertificate ) => true);
// connection.SessionOptions.VerifyServerCertificate = delegate { return true; };
ldapConnection.SessionOptions.ProtocolVersion = 3;
ldapConnection.Bind(new NetworkCredential("uid=test,ou=person,dc=my,dc=ldap,dc=server,dc=org", "test"));
How do I configure the code to connect with TLS/SSL when the OpenLDAP server expects both a server & a CA certificate (I think)? I don't think the solution is to install the certificates on my host machine because the code will run in a container and the certificates will be mounted at runtime.
Perpaps I made a mistake while generating the certificates. The Common Name (CN) of the Server certificate is my.ldap.server.org, and the CN of the CA is the username of the machine that hosts the OpenLDAP Container (but the username within the container is different).
I turns out that I had to set an additional environment variable in the docker run command, namely --env LDAP_TLS_VERIFY_CLIENT=never
It then worked with this code:
var ldapConnection = new LdapConnection(new LdapDirectoryIdentifier(serverIp, 636))
{
AuthType = AuthType.Basic
};
ldapConnection.SessionOptions.SecureSocketLayer = true;
ldapConnection.SessionOptions.VerifyServerCertificate = delegate { return true; };
ldapConnection.SessionOptions.ProtocolVersion = 3;
ldapConnection.Bind(new NetworkCredential("uid=test,ou=person,dc=my,dc=ldap,dc=server,dc=org", "test"));