so when trying to login, ldap3 looks for the file relative to the app's working directory inside the container and cant find it under certificates/ldap where you put it and throws an error.
There's also a local login fallback mechanism, but the local login part can't execute because there's an error with ldap. It would be nice if we could login with the local user even when there's something wrong with the ldap mechanism. (maybe this is another issue?)
i temporarily resolved by double mounting certs to "/iriswebapp" and under "certificates/ldap" aswell:
volumes:
- ./certificates/ldap/iris_ldaps.pem:/iriswebapp/certificates/ldap/iris_ldaps.pem:ro
- ./certificates/ldap/iris_ldaps.pem:/iriswebapp/iris_ldaps.pem:ro
- ./certificates/ldap/dc4.pem:/iriswebapp/certificates/ldap/dc4.pem:ro
- ./certificates/ldap/dc4.pem:/iriswebapp/dc4.pem:ro
When setting up LDAPS, config parser expects cert file to be given with "LDAP_SERVER_CERTIFICATE" key and as a file name only. Then prepends "certificates/ldap/" infront of that file name before validating the whole path. But then it stores only the bare file name for further use.
Relevant line: "https://github.com/dfir-iris/iris-web/blob/master/source/app/configuration.py#L446"
same thing with "LDAP_CA_CERTIFICATE"
Relevant line: "https://github.com/dfir-iris/iris-web/blob/master/source/app/configuration.py#L457"
so when trying to login, ldap3 looks for the file relative to the app's working directory inside the container and cant find it under certificates/ldap where you put it and throws an error.
There's also a local login fallback mechanism, but the local login part can't execute because there's an error with ldap. It would be nice if we could login with the local user even when there's something wrong with the ldap mechanism. (maybe this is another issue?)
i temporarily resolved by double mounting certs to "/iriswebapp" and under "certificates/ldap" aswell: