LDAP at port 40000 is blocked by browser because of invalid certificate

I have set up odk 2 sync endpoint on Amazon Linux EC2 instance successfully. I managed to get a certificate from letsencrypt and installed it into nginx according to guideline. Now I can access the web-ui with https.

However, when I tried to access ldap at https://my.domain.com:40000/ the certificate was invalid and the browser did not allow me to continue. When I viewed the certificate, it was issued by docker-light-baseimage, not by letsencrypt.

I do not know how to used the certificate issued by letsencrypt with ldap. Or, do I need different certificate for ldap?

Please help me find out how to solve the problem.

Hello,

Yes - the phpldapadmin comes with its own self-signed certificate (usually you can just click details and “Continue to this website (unsafe)” in the browser or you can install the certificate on the client PCs that need it).

I think that security wise, the phpldapadmin interface should not be exposed directly to the internet as such (ie port 40000 should not be forwarded/open in the firewall), but only accessed from local admin pcs…

Best regards
Emil

Thank you Emil. One question. If port 40000 is not exposed directly to the internet, how could we add users and groups to phpldapadmin? Sorry in advance for my naive question.

Hello,

That depends on your setup - is it possible for you to set up a VPN that can connect you to the “internal” network of the server and only have port 40000 exposed there? In that case that would be more secure…

Best regards
Emil

Thanks Emil, I get the idea, although I don’t know exactly how to do it yet.

I had the same issue, it took a while but I managed to resolve by passing my own certs to the phpldapadmin image. You can see instructions to do this here: https://github.com/osixia/docker-phpLDAPadmin#use-your-own-certificate (modify the ldap.env config file).

Additionally I found it useful to add the phpldapadmin container to the reverse proxy and avoid having to use the port altogether. This was a bit more involved, but in the end I got it working with web-ui at my-server.com/web-ui and phpldapadmin at my-server.com/ldap, both served on https with a certificate automatically generated and renewed via certbot.

I’ve documented an outline of the steps involved here: https://gist.github.com/chrismclarke/32a0b7331c6027a3e7be4d0d2c0866d3

Would be great if anyone else tries this and has feedback.

2 Likes