After poking around in the communication traces via Wireshark I finally found the source of our problems. Traefik relies on the SNI [1] to track and route connections to services [2]. I could verify that neither Apache-Directory-Studio nor the OpenLDAP tools use this optional TLS extension, so this configuration can not work properly.
This is supported by the observation that openssl managed to cause OpenLDAP to log a connection and received the correct certificate while the ldap tools just got the default certificate and canceled the connection regardless of the certificate setting (ignore insecure or not).
I suppose it would be a valid solution for anyone trying to implement OpenLDAP behind traefik to route all incoming connections on a given port to the service. In that way it would at least be possible to offload certificate renewal and termination. Now I tried following configuration change:
- - "traefik.tcp.routers.app-sso-ldap.rule=HostSNI(`ldap.example.com`)"
+ - "traefik.tcp.routers.app-sso-ldap.rule=HostSNI(`*`)"
Here I would expect that a connection should be possible and a connection is being logged which isn't the case yet unfortunately...
Maybe this is the reason why:
It is important to note that the Server Name Indication is an extension of the TLS protocol. Hence, only TLS routers will be able to specify a domain name with that rule. However, non-TLS routers will have to explicitly use that rule with
*(every domain) to state that every non-TLS request will be handled by the router. [3]
I understand that text (especially the part "to state that every non-TLS request will be handled by the router."), that such catch-all rules only apply to non-TLS connections coming in.
Does anyone know a solution that would enable traefik to use a default certificate generated through letsencrypt with a custom hostname (of course one that can be validated by traefik) on such wildcard rules?
Not sure if this question even is in scope of this thread. I could also create a new one or even an github issue requesting this as a feature?
EDIT: Of course it would be an alternative to request the SNI extension for OpenLDAP. I think both, the possibility to handle such things in traefik and a proper OpenLDAP implementation of SNI, are useful or even necessary...
Though I think extending traefik would be a quicker solution for users, as an update of OpenLDAP client tools would not be enough to fix all issues regarding that. Potentially all applications communicating with the ldaps protocol would need to be updated for that.