StartTLS: open /data/tls/ldap/ca.pem: no such file or directory

[D0wn3r]

Bug description
I'm trying to connect my portainer to my LDAP server with startTLS but when I put the file and check connection I go this error:

portainer_1  | level=info msg="2021/12/13 16:48:11 http error: Unable to connect to LDAP server (err=failed creating LDAP connection: open /data/tls/ldap/ca.pem: no such file or directory) (code=500)"

Like if it doesn't upload my cert.pem file

Expected behavior
StartTLS with certif works.

Portainer Logs

portainer_1  | level=info msg="2021/12/13 16:48:11 http error: Unable to connect to LDAP server (err=failed creating LDAP connection: open /data/tls/ldap/ca.pem: no such file or directory) (code=500)"

Steps to reproduce the issue:

1. Go to 'Settings' -> 'Authentication'
2. LDAP
3. Configure LDAP credentials and all configs
4. Check 'StartTLS'
5. Upload certificate
6. Press 'Test connectivity'

Technical details:

• Portainer version: 2.11.0
• Docker version (managed by Portainer): 20.10.8
• Platform (windows/linux): linux
• Browser: Firefox

[D0wn3r]

if I do a volume between /data/tls/ldap/ca.pem and my certif on my host, the check connectivity works fine but I can't press on "Save settings"

[samdulam]

@D0wn3r
Thanks for raising this. I'll look into this, Will come back to you soon. Which external directory source are you using? And Can you share a screenshot? Is Save option greyed out for you?

[D0wn3r]

Hello,
Thank you for taking time to look at this.
Which external directory source are you using?
If you talking about the mount I did to try "fix" that, it's just a mount between my cert on host and /data/tls/ldap/ca.pem in the conainer of portainer.
Is Save option greyed out for you?
The button stay greyed that's why I can't save.

I put information and upload my cert:

But when I test connectivity, an error appear:

[MaleNurse]

Experiencing the same issue, so I copied my cert into the location that Portainer is looking for. I still need to select a local certificate in that dialog to do so, but the connection tests OK. Despite all this, though, the save button is still greyed out.

I am not sure if this is related or not (let me know and I'll open a separate issue), but upon refresh the server address info is missing from the LDAP settings screen even though authentication still functions as intended.

[Floppsi1]

Hello @samdulam, any progress with that topic?
would be really important to be able to setup secure LDAP connections for new Portainer Setups.
Just following the normal menu, always "/data/tls/ldap/ca.pem: no such file or directory" is displayed.
it seems the upload of the TLS CA certificate is not working correct.

Thanks a lot.

[sebbm]

Are there any news on that. i have the same issue at the moment and it seems as certificate upload doesn't work

[D0wn3r]

No :/

[Floppsi1]

bug still available with latest version. 2.13.1.
no secure connection to the LDAP server anymore possible!
Don't understand that no one cares about that.
@samdulam could you please have a look at that problem. Thanks.

[Oneel77]

Hello,
Same issue, the save button is greyed!
Thanks

[samdulam]

Bug confirmed, failing to upload the pem file to desired location.
As a workaround, you can place the file (eg: ca.pem) in /data/tls/ldap location inside Portainer container's volume.

[kevdogg]

@samdulam
I'm not sure that's a workaround to be honest -- I mounted /data/tls/ldap/ca.pem as a bind volume and I can pass the connectivity check however as the other users who replied above stated -- there is no way to save the configuration since the save settings button is always greyed out. Not really a workaround.

[MVJosh]

The bug appears to be with the UI, rather than Portainer's backend. I've been working around this by configuring Portainer via its API.

The LDAP part of the configuration can be done via PUT /settings.
From my experience, I've found Portainer doesn't respect any TLSCACert value I set via the API, so I'm still left with placing the CA file in the default location (/data/tls/ldap/ca.pem), and using the API to configure the rest of the LDAP settings (note, you'll have to authenticate via the API first to get a token for the settings request).

As a hint, the body of my PUT /settings request looks roughly like:

{
  "AuthenticationMethod": 2,
  "LDAPSettings": {
    "AnonymousMode": true,
    "ReaderDN": "",
    "URL": "<LDAPS host:port here>",
    "TLSConfig": {
      "TLS": true,
      "TLSSkipVerify": false
    },
    "StartTLS": false,
    "SearchSettings": [
      {
        "BaseDN": "<base DN here>",
        "Filter": "(objectclass=posixAccount)",
        "UserNameAttribute": "uid"
      }
    ],
    "GroupSearchSettings": [
      {
        "GroupBaseDN": "<group base DN here>",
        "GroupFilter": "(objectclass=posixGroup)",
        "GroupAttribute": "memberUid"
      }
    ],
    "AutoCreateUsers": true
  }
}

Note that "AuthenticationMethod": 2 corresponds to LDAP. This doesn't appear to be documented (if it is, it's not easy to find) - I reverse engineered it from inspecting API requests sent by the UI.

[WaysonWei]

linked to https://github.com/portainer/portainer/pull/7340