Hi erveryone 🙂, here's my problem. I have a *Freeipa LDAP . . .

Mehdi AZZI:
Hi erveryone ,

here’s my problem. I have a Freeipa LDAP (centos-8-stream-4.9.8) instance and another Gitlab (16.0.2-ee.0) instance running locally in two separate containers.
These instances were launched via a docker-compose. No problem for these instances, both are accessible and work perfectly.
I’m trying to make an SSO connection with my Gitlab instance and the Freeipa server with LDAP.
On my native machine, the following command works:

ldapsearch -x -H <ldap://freeipa.packops.local> -D "uid=admin,cn=users,cn=accounts,dc=packops,dc=local" -b "uid=user,cn=users,cn=accounts,dc=packops,dc=local" -w YOURPASSWORD

and returns this result:

   # extended LDIF
#
# LDAPv3
# base <uid=user,cn=users,cn=accounts,dc=packops,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# user, users, accounts, packops.local
dn: uid=user,cn=users,cn=accounts,dc=packops,dc=local
givenName: user
sn: user
uid: user
cn: user user
displayName: user user
initials: uu
gecos: user user
krbPrincipalName: [email protected]
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
objectClass: ipantuserattrs
loginShell: /bin/sh
homeDirectory: /home/user
mail: [email protected]
krbCanonicalName: [email protected]
ipaUniqueID: cee7019e-0f37-11ee-94dc-0242ac120002
uidNumber: 1615800003
gidNumber: 1615800003
krbPasswordExpiration: 20230620065805Z
krbLastPwdChange: 20230620065805Z
krbExtraData:: AAL9TZFkcm9vdC9hZG1pbkBQQUNLT1BTLkxPQ0FMAA==
mepManagedEntry: cn=user,cn=groups,cn=accounts,dc=packops,dc=local
ipaNTSecurityIdentifier: S-1-5-21-1133753079-3484878407-2653100528-1003
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=packops,dc=local

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

However, when I connect to my Gitllab container and execute the same command, I get this result:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Here’s my Gitlab.rb config :

###! **remember to close this block with 'EOS' below**                         
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'                                 
   main: # 'main' is the GitLab 'provider ID' of this LDAP server                             
     label: 'LDAP'                                                                     
     host: 'freeipa.packops.local'                                                           
     port: 389                                                                                 
     uid: 'uid'                                                                
     bind_dn: 'uid=admin,cn=users,cn=accounts,dc=packops,dc=local'                
     password: 'YOURPASSWORD'                                                                            
     encryption: 'start_tls' # "start_tls" or "simple_tls" or "plain"                                         
     active_directory: false                                                              
     allow_username_or_email_login: false                                        
     base: 'cn=users,cn=accounts,dc=packops,dc=local'                           
     user_filter: ''                                                            
EOS  

How can I authorize the connection between my Freeipa container and Gitlab container?
If you have any suggestions for solutions, I’d love to hear from you.
If you have any other questions, don’t hesitate to ask me.

I juste want to communicate between two containers

Al West:
Can your GitLab runner resolve freeipa.packops.local - try nslookup or ping

Al West:
Also please do not post the same question in different channels.

Mehdi AZZI:
nslookup and ping work

Al West:
Have you verified the port is accessible over the network?

Mehdi AZZI:
I think the error it’s because of certifcate :
• openssl s_client -connect freeipa.packops.local:389
140058990844800:error:0200206F:system library:connect:Connection refused:crypto/bio/b_sock2.c:110:
140058990844800:error:2008A067:BIO routines:BIO_connect:connect error:crypto/bio/b_sock2.c:111:
connect:errno=111

Al West:
636 will have a cert not port 389

Mehdi AZZI:
I test ping, nslookup with port it also worked

Al West:
Are you trying to do ldap or ldaps?

Mehdi AZZI:
ldap

Al West:
so no certs will be used

Mehdi AZZI:
on my native machine everything works perfectly

Al West:
please show the output of telent freeipa.packops.local 389 from the GitLab runner

Mehdi AZZI:
telnet freeipa.packops.local 389
telnet: can't connect to remote host (127.0.0.1): Connection refused
root@localhost:/# telnet freeipa.packops.local:389
telnet: can't connect to remote host (127.0.0.1): Connection refused

Al West:
did you open the port in the firewall?

Al West:
oh hold on