LDAP connections fails with StartTLS #3599
Replies: 2 comments
-
I get the same error while trying to connect to LDAP server that only accepts TLS connections. I think the issue is that the |
Beta Was this translation helpful? Give feedback.
-
Well yeah, the flag is not passed to passport-ldapauth. |
Beta Was this translation helpful? Give feedback.
-
Describe the bug
When attempting to connect to an LDAP that enforces StartTLS, the connection simply fails with "confidentiality required".
It seems turning on TLS on the admin options only tries to make the client use a certificate, which should be completely unnecessary (and will cause an error only in the logs if you leave the certificate path empty), but it does not attempt to use StartTLS when connecting to the server. Even so, giving the client a certificate and enabling TLS will still fail with the same error.
In fact, I suggest the options are expanded: one should be able to select whether to use the older LDAPS or the newer StartTLS, and a secondary option for client certificates, which in many cases are unnecessary. My LDAP server has them set as "allow", other applications can successfully connect without a problem.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The LDAP user successfully logs in
Screenshots
The LDAP configuration, note that the client cert is snake-oil, but this should not matter.
The error in question:
Host Info (please complete the following information):
Additional context
A snippet of my docker-compose file, for reference:
The LDAP logs show the failed connection:
The WikiJS logs show nothing special aside from the failed connection, even with the LDAP debug flag on.
They do show the "failed to open" error when not providing any client certificate.
--
Addendum:
Disabling "use TLS" and pointing the server to
ldaps://ldap.mydomain.com:636
works fully.Beta Was this translation helpful? Give feedback.
All reactions