LDAPS over Traefik fails

rhufsky · June 23, 2024, 6:02pm

Have a running Traefik instance that routes a number of http/https services. Certificates are generated via letsencrypt.

Now I want to route a legacy ldaps connection, which I am able to route via nginx. My setup for that is the folowing:

tcp:
  routers:
    ldap:
      rule: HostSNI(`*`)
      entryPoints:
        - "ldap"
      service: "ldap-service"

    ldaps:
      rule: HostSNI(`*`)
      tls:
        insecureSkipVerify: "true"
        certResolver: cloudflareResolver
      entryPoints:
        - "ldaps"
      service: "ldaps-service"

  services:
    ldap-service:
      loadBalancer:
        servers:
          - address: "ldap.dmz.mycom.com:389"

    ldaps-service:
      loadBalancer:
        servers:
          - address: "ldap.dmz.mycom.com:636"

Now I have two test cases

LDAP only: ldapsearch -H ldap://myproxy.dmz.mycom.com ...
This makes Traefik to connect to the LDAP server and all requested data are delivered fine. The Traefik log shows:

traefik-1  | time="2024-06-23T19:43:46+02:00" level=debug msg="Handling TCP connection from 172.31.32.105:34018 to ldap.dmz.mycom.com:389"
traefik-1  | time="2024-06-23T19:43:46+02:00" level=debug msg="Dial with lookup to address ldap.dmz.mycom.com:389"

LDAPS: ldapsearch -H ldaps://myproxy.dmz.mycom.com ...

This gives me a ldap_result: Can't contact LDAP server (-1). The Traefik logs show

traefik-1  | time="2024-06-23T19:46:28+02:00" level=debug msg="Handling TCP connection from 172.31.32.105:43830 to ldap.dmz.mycom.com:636"
traefik-1  | time="2024-06-23T19:46:28+02:00" level=debug msg="Dial with lookup to address ldap.dmz.mycom.com:636"
traefik-1  | time="2024-06-23T19:46:28+02:00" level=debug msg="Serving default certificate for request: \"\""
traefik-1  | time="2024-06-23T19:46:28+02:00" level=debug msg="Error while handling TCP connection: read tcp 10.200.5.5:34078->172.31.20.11:636: read: connection reset by peer"

So Traefik seems to resolve the right router, it even tries to connect to the LDAP backend but the backend allegedly drops the connection. The same backend works when I point ldapsearch directly to the backend. The backend has a self signed cert, hence the insecureSkipVerify: "true"

What puzzles me is the message "Serving default certificate for request: \"\"". I believe that the default cert is correct as I have I defined in the static config file like so:

tls:
  stores:
    default:
      defaultGeneratedCert:
        resolver: cloudflareResolver
        domain:
          main: "web.mycom.com"
          sans:
            - "*.mycom.com"
            - "*.dmz.mycom.com"

So now I am out of ideas of what to do. Any ideas of how I can make LDAPS work would be highly appreciated.

bluepuma77 · June 24, 2024, 4:53am

insecureSkipVerify is not an option for a router (doc). It is used globally in static config or you need to create a ServersTransport with it, which you assign to a service.

bluepuma77 · June 24, 2024, 10:22am

Traefik might not be able to talk to your LDAP server, if that only support "very old" TLS.

Maybe try to replace the target service with something like traefik/whoami and check with curl/wget if the request goes through.

rhufsky · June 24, 2024, 10:29am

Thanks a lot, I tried this:

tcp:
  serversTransports:
    ldapsTransport:
      tls:
        insecureSkipVerify: "true"

  routers:
    ldap:
      rule: HostSNI(`*`)
      entryPoints:
        - "ldap"
      service: "ldap-service"

    ldaps:
      rule: HostSNI(`*`)
      tls:
        certResolver: "cloudflareResolver"
      entryPoints:
        - "ldaps"
      service: "ldaps-service"

  services:
    ldap-service:
      loadBalancer:
        servers:
          - address: "ldap.dmz.mycom.com:389"

    ldaps-service:
      loadBalancer:
        serversTransport: "ldapsTransport"
        servers:
          - address: "ldap.dmz.mycom.com:636"

Traefik now tells me:

level=error msg="Error occurred during watcher callback: /etc/traefik/dynamic/tcp.yml: field not found, node: serversTransports" providerName=file

To my best knowledge I followed the docs, what might I have done wrong? I guess something is wrong with my tcp.serversTransports config

bluepuma77 · June 24, 2024, 2:26pm

Maybe start by setting it globally in static config (doc) for all services:

## Static configuration
serversTransport:
  insecureSkipVerify: true

rhufsky · June 25, 2024, 4:13am

I have both

serversTransport:
  insecureSkipVerify: true

tcpServersTransport:
  tls:
    insecureSkipVerify: true

So I hope that all TCP routes will use that.

The follwing settings

tcp:
   serversTransports:
      ldapsTransport:
        tls:
          insecureSkipVerify: true

always give me tcp.yml: field not found, node: serversTransports, no matter what configuration I try.

Maybe my version of Traefik (2.10.5) does not support that?

Edit: OK 3.0.3 supports that

system · June 28, 2024, 4:14am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
TLS incomplete chain for TCP (LDAPS) proxy Traefik v2 tcp	1	1250	August 27, 2022
TCP TLS Backend? Traefik v2 file	0	737	October 30, 2020
Letsencrypt with TCP router and non-SNI traffic Traefik v2 file , tcp	1	1888	October 11, 2020
Setting up ldaps with Traefik Traefik v3 (latest) file , letsencrypt-acme , tcp	8	168	November 14, 2024
Issues with TLS Enabled TCP Router to OpenLDAP Traefik v2 letsencrypt-acme , tcp	16	7713	January 13, 2023

LDAPS over Traefik fails

Related topics