ldap_start_tls Protocol error - additional info: unsupported extended operation

[Alevsk]

Hi, I'm running openldap like this

docker run --rm -p 389:389 -p 636:636 --name my-openldap-container -e LDAP_TLS=false --detach osixia/openldap:1.4.0

Then I exec into the container using docker exec -it my-openldap-container bash and when I'm trying to add a new user, im getting the following error:

ldapadd -x -D "cn=admin,dc=example,dc=org" -w admin -f new-user.ldif -H ldap://localhost -ZZ
ldap_start_tls: Protocol error (2)
        additional info: unsupported extended operation

This used to work in osixia/openldap:1.3.0, now im also still getting this error on that image too, doing search works fine:

ldapsearch -x -H ldap://localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# example.org
dn: dc=example,dc=org
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Inc.
dc: example

# admin, example.org
dn: cn=admin,dc=example,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9a0FDbW5YSjlIUXc4bU1pU3dPRlNRcGQ1NVpoQUp1MEo=

My first guess is TLS was enabled in ldap however im using the LDAP_TLS=false and If I want to check whats the current ldap.conf configuration, it seems that the image has a broken symlink, could this be the issue?

root@832c064e3237:/etc/ldap# ls -la
total 40
drwxr-xr-x 1 openldap openldap 4096 Jan 30 00:15 .
drwxr-xr-x 1 root     root     4096 Jan 30 00:30 ..
lrwxrwxrwx 1 root     root       41 Jan 30 00:15 ldap.conf -> /container/service/slapd/assets/ldap.conf
drwxrwxr-x 1 openldap openldap 4096 Jun 15  2020 pqchecker
drwxr-xr-x 1 openldap openldap 4096 May  4  2020 sasl2
drwxr-xr-x 1 openldap openldap 4096 Jun 15  2020 schema
drwxr-xr-x 3 openldap openldap 4096 Jan 30 00:15 slapd.d
root@832c064e3237:/etc/ldap# cat ldap.conf
cat: ldap.conf: No such file or directory
root@832c064e3237:/etc/ldap# file ldap.conf
ldap.conf: broken symbolic link to /container/service/slapd/assets/ldap.conf

[Alevsk]

In case somebody have the same issue as me, to get ride of the tls error:

ldap_start_tls: Protocol error (2)
        additional info: unsupported extended operation

Just remove the -ZZ at the end of ldapadd -x -D "cn=admin,dc=example,dc=org" -w admin -f new-user.ldif -H ldap://localhost -ZZ command

[silencej]

-ZZ is to disable TLS check. A better solution is needed.

-ZZ is to disable TLS check. A better solution is needed.

I think you mean enable. -ZZ forces TLS. Which also means that you are indeed right. It's not an acceptable solution to just disable the security checks