In my home lab I am testing virtualmin with LDAP. I have separate lxc server for ldap and virtualmin with full ipV6 connectivity and lets encrypt certificate configured for my ldap server.
I am setting up virtualmin and ldap server with the guide found here.
Everything works when I use standard port without TLS. As soon as enable TLS and I try to validate config on virtulamin client I get:
Finding LDAP base for users ..
.. found base dc=Users,dc=example,dc=com.
Checking Unix users service ..
.. service is setup to query LDAP.
Looking for Unix user example ..
.. user does not exist.
In the virtulamin system log, this error comes up
Dec 15 03:35:37 id[14798]: nss_ldap: could not search LDAP server - Server is unavailable
Dec 15 03:35:37 id[14798]: nss_ldap: failed to bind to LDAP server ldaps://ldap.example.com/: Can’t contact LDAP server
Dec 15 03:35:37 id[14798]: nss_ldap: could not connect to any LDAP server as cn=admin,dc=example,dc=com - Can’t contact LDAP server
Dec 15 03:35:36 id[14798]: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)…
Dec 15 03:35:36 id[14798]: nss_ldap: failed to bind to LDAP server ldaps://ldap.example.com/: Can’t contact LDAP server
Dec 15 03:35:36 id[14798]: nss_ldap: could not connect to any LDAP server as cn=admin,dc=example,dc=com - Can’t contact LDAP server
Dec 15 03:35:35 id[14798]: nss_ldap: reconnecting to LDAP server…
Dec 15 03:35:35 id[14798]: nss_ldap: failed to bind to LDAP server ldaps://ldap.example.com/: Can’t contact LDAP server
Dec 15 03:35:35 id[14798]: nss_ldap: could not connect to any LDAP server as cn=admin,dc=example,dc=com - Can’t contact LDAP server
You might try connecting with openssl s_client to see if you get a valid TLS connection or if there’s some error you can work with.
openssl s_client -connect you.ldap.server:636
Obviously use your LDAP server address and port.
Sometimes services and clients that are just wrapped in TLS don’t give great errors and it just looks like a connection failure when maybe it’s actually a TLS cert validation problem or something.
There you go. You either need to add the public cert for the CA that signed that cert to the client system’s CA bundle, or you need to configure your client to ignore TLS validation errors (but then why bother with TLS?).
How you do that (adding the CA to your certificate bundle on your client machine) is outside my area of expertise. I have to google it every time I need to do it.
Or, the other option is to not use a self-signed certificate. You can use a Let’s Encrypt cert for pretty much any service, though you’ll need to update the cert on the server every time it renews.
I did generate a valid Letsencrypt certificate using webmin and copied the all three files to /etc/ldap/slapd.d/. then changed ownership to match the self-signed cert of LDAP. I will double check what I did.