Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed to access LDAP server over TLS #209

Closed
YasuhiroABE opened this issue Dec 13, 2021 · 3 comments · Fixed by #210
Closed

Failed to access LDAP server over TLS #209

YasuhiroABE opened this issue Dec 13, 2021 · 3 comments · Fixed by #210

Comments

@YasuhiroABE
Copy link

Abstract
My container based on version 2.4.51 failed to access our LDAP server via ldaps with the following error_log:

[Mon Dec 13 07:08:02.404750 2021] [authnz_ldap:info] [pid 8:tid 139901152511744] [client 192.168.100.4:52618] AH01695: auth_ldap authenticate: user user01 authentication failed; URI /secret/ [LDAP: ldap_simple_bind() failed][Can't contact LDAP server], referer: http://192.168.1.25:8080/

Before 2.4.50 don't have the issue as the libldap-common package was installed.

Root cause
The missing /etc/ldap/ldap.conf file causes the missing "TLS_CACERT /etc/ssl/certs/ca-certificates.crt" configuration.
Because of this, the server cannot access using ldaps:// URL.

Conclusion
Is this an intended change in 2.4.51 or later?
@wglambert
Copy link

Interesting... note sure why libldap-common isn't in 2.4.51, the Dockerfile difference is just the version change docker-library/official-images#11057

The Dockerfile installs libaprutil1-ldap which has libldap as a dependency, which then has libldap-common as its dependency.

$ docker run -it --rm httpd:2.4.51 bash
root@e6828c8b35ed:/usr/local/apache2# apt search libaprutil1-ldap
Sorting... Done
Full Text Search... Done
libaprutil1-ldap/now 1.6.1-5 amd64 [installed,local]
  Apache Portable Runtime Utility Library - LDAP Driver

root@e6828c8b35ed:/usr/local/apache2# apt search libldap         
Sorting... Done
Full Text Search... Done
libldap-2.4-2/now 2.4.57+dfsg-3 amd64 [installed,local]
  OpenLDAP libraries

root@e6828c8b35ed:/usr/local/apache2# apt search libldap-common
Sorting... Done
Full Text Search... Done

What 2.4.50 shows

$ docker run -it --rm httpd:2.4.50 bash
root@e8cbf9179ea8:/usr/local/apache2# apt search libaprutil1-ldap
Sorting... Done
Full Text Search... Done
libaprutil1-ldap/now 1.6.1-4 amd64 [installed,local]
  Apache Portable Runtime Utility Library - LDAP Driver

root@e8cbf9179ea8:/usr/local/apache2# apt search libldap         
Sorting... Done
Full Text Search... Done
libldap-2.4-2/now 2.4.47+dfsg-3+deb10u6 amd64 [installed,local]
  OpenLDAP libraries

libldap-common/now 2.4.47+dfsg-3+deb10u6 all [installed,local]
  OpenLDAP common files for libraries

@tianon
Copy link
Member

tianon commented Dec 13, 2021

This is very similar to docker-library/php#1228 -- the difference (and the thing that caused the breakage) is that in Debian Bullseye, libldap-common is only in Recommends instead of Depends, so it no longer gets installed automatically (thanks to our overuse of --no-install-recommends).

In this case, it's core functionality being broken, so IMO we should probably add it persistently (perhaps with a link to this thread so we can more easily remember/chase down why we added it).

@tianon tianon mentioned this issue Dec 13, 2021
Merged
@YasuhiroABE
Copy link
Author

Thank you for your prompt action!

@ridlyway ridlyway mentioned this issue Jul 3, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add "libldap-common" explicitly infosiftr/httpd
3 participants
@tianon @YasuhiroABE @wglambert