Authentication with LDAP from Docker (Collabora Online)



The goal is that Domain Admins can log in to Collabora Online Admin Console.

I started with I have UCS 4.3. Despite what this documentation says, I have the following environment variables in the container:

root@colla-21091438:/# env | grep -i ldap

I miss the LDAP_BASE the most, because it is required to make queries. I see that the wiki page was created a few days ago. Why do I see different environment variables?

root@colla-21091438:/# ldapsearch -D $LDAP_HOSTDN -y /etc/machine.secret  -H ldap://$LDAP_MASTER:$LDAP_MASTER_PORT 
Warning: Password file /etc/machine.secret is publicly readable/writeable
# extended LDIF
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL

# search result
search: 2
result: 32 No such object

# numResponses: 1

On the other hand:

root@colla-21091438:/# ldapsearch -D $LDAP_HOSTDN -y /etc/machine.secret -b dc=collabora,dc=intranet -H ldap://$LDAP_MASTER:$LDAP_MASTER_PORT

… lists everything. So we need the base.



the wiki page was indeed created a few days ago. In fact, it was written with in mind without waiting until it is actually fixed. Sorry for the inconvenience. This should work - in a few days.

Please use $LDAP_SERVER, not $LDAP_MASTER, as soon as this works. Some systems do not have access to the LDAP on the DC Master, but only to one on a DC Slave.

Kind regards,
Dirk Wiesenthal


Hi Dirk,

Thanks for your answer. On my test system, I still can experiment, using the actual values. I can bind to the host’s LDAP from the container with ldapsearch. Next I tried to configure, but it did not work, it failed silently.


account     [success=done new_authtok_reqd=ok          user_unknown=die          service_err=die authinfo_unavail=die          default=die]
account     required
auth        sufficient use_first_pass
auth        required


uri ldap://ucs-4067.collabora.intranet:7389
binddn cn=colla-21091438,cn=memberserver,cn=computers,dc=collabora,dc=intranet
bindpw 35b983003025e037d1f7dde377a7a74a1737b68cadfbea360c62000fc767ee1a

base dc=collabora,dc=intranet
ldap_version 3
scope sub
pam_password crypt
ssl start_tls

So far, I expected that LDAP users can be authenticated this way, but it did not happen, I get PAM authentication failure. Any ideas, what’s missing, please?



/etc/ldap.conf does not really accept BINDDN nor BINDPW. The former is a user-only option (goes into ~/.ldaprc), the latter does not exist for OpenLDAP.

This works for me:

ldapsearch -ZZ -D cn=colla-21091438,cn=memberserver,cn=computers,dc=collabora,dc=intranet -y /etc/machine.secret uid=Administrator

Is passing the credentials possible for you?