Exception on LDAP/AD connection with .NET 8 on MacOs and Docker with StartTransportLayerSecurity

[markusTraber]

Description

On MacOs Sonoma 14.5 (23F79) and Docker Debian mcr.microsoft.com/dotnet/aspnet:8.0-bookworm-slim I cannot connect to our Active Directory with System.DirectoryServices.Protocols 8.0.0. I get an exception when calling StartTransportLayerSecurity(null). It works as soon, as I use version 7.0.1 instead of 8.0.0.

Reproduction Steps

MacOs

1. MacOs Sonoma 14.5 (23F79)
2. AD Server with Start TLS on port 389
3. Reference System.DirectoryServices.Protocols package in version 8.0.0 in your project
4. Execute code

LdapDirectoryIdentifier ldi = new LdapDirectoryIdentifier(host, port);
LdapConnection cn = new LdapConnection(ldi);
cn.Credential = new NetworkCredential(userDn, plainPassword);
cn.AuthType = AuthType.Basic;
cn.SessionOptions.ProtocolVersion = 3;
cn.SessionOptions.StartTransportLayerSecurity(null);
cn.Bind();

Docker

1. AD Server with Start TLS on port 389
2. Reference System.DirectoryServices.Protocols package in version 8.0.0 in your project
3. Implement code in project

LdapDirectoryIdentifier ldi = new LdapDirectoryIdentifier(host, port);
LdapConnection cn = new LdapConnection(ldi);
cn.Credential = new NetworkCredential(userDn, plainPassword);
cn.AuthType = AuthType.Basic;
cn.SessionOptions.ProtocolVersion = 3;
cn.SessionOptions.StartTransportLayerSecurity(null);
cn.Bind();

4. Build a docker image:

FROM --platform=$BUILDPLATFORM  mcr.microsoft.com/dotnet/sdk:8.0-bookworm-slim AS build
ARG TARGETARCH
WORKDIR /build

# Copy project files and restore
COPY *.sln ./
COPY Directory.Packages.props ./
COPY src/ExampleApp.Web.Host/*.csproj ./src/ExampleApp.Web.Host/
# ... more csproj files
RUN dotnet restore

COPY --link . ./

WORKDIR /build/src/ExampleApp.Web.Host/
RUN dotnet publish -c Release -o /publish /p:Version=$(date +"%Y.%m.%d") --no-restore


#
# Runtime stage
#
FROM mcr.microsoft.com/dotnet/aspnet:8.0-bookworm-slim
EXPOSE 10001
WORKDIR /app
COPY --link --from=build /publish .

# install new libldap
RUN apt update \
  && apt install --upgrade -y libldap-2.5-0 \
  && ln -s /usr/lib/x86_64-linux-gnu/libldap-2.5.so.0 /usr/lib/x86_64-linux-gnu/libldap-2.4.so.2 \
  && ln -s /usr/lib/x86_64-linux-gnu/libldap.so.2 /usr/lib/libldap-2.5.so.0 \
  && apt install nano vim -y \
  && apt clean \
  && rm -rf /var/lib/apt/lists/

# ad/ldap library link issue - https://github.com/dotnet/runtime/discussions/98990
# RUN apt update \
#  && ln -s /usr/lib/x86_64-linux-gnu/libldap-2.5.so.0 /usr/lib/x86_64-linux-gnu/libldap-2.4.so.2 \
#  && ln -s /usr/lib/x86_64-linux-gnu/libldap.so.2 /usr/lib/libldap-2.5.so.0 \

# copy entrypoint script and make executable
COPY ./docker/entrypoint.sh /usr/local/bin/
RUN chmod +x /usr/local/bin/entrypoint.sh

# create directory for ldap cert -> will be mounted as volume and checked by entrypoint.sh
RUN mkdir /usr/share/ca-certificates/extra
RUN cp /etc/ca-certificates.conf /etc/ca-certificates.conf.backup

CMD ["/usr/local/bin/entrypoint.sh"]

5. Run image and execute ldap connection code. I have tried 3 variations:
   5.1 Installing libldap-2.5-0
   5.2 Installing libldap-2.5-0 and creating symbolic links (commented in dockerfile)
   5.2 Without installing and linking

Expected behavior

I can connect to AD and no exception is thrown when "StartTransportLayerSecurity" method is called.

Actual behavior

MacOS

Exception is thrown when calling "StartTransportLayerSecurity" method:

Exception has occurred: CLR/System.DirectoryServices.Protocols.LdapException
Exception thrown: 'System.DirectoryServices.Protocols.LdapException' in System.DirectoryServices.Protocols.dll: 'The LDAP server is unavailable.'
   at System.DirectoryServices.Protocols.LdapSessionOptions.StartTransportLayerSecurity(DirectoryControlCollection controls)
   at ExampleApp.Authentication.Ldap.LdapConnectionFactory.CreateBoundConnection(String userDn, String plainPassword) in src/ExampleApp.Ldap/Authentication/Ldap/LdapConnectionFactory.cs:line 102

Docker

When installing libldap 2.5 and linking it or not (5.1 and 5.2), I get basically the same error as on MacOs:

System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.    at System.DirectoryServices.Protocols.LdapSessionOptions.StartTransportLayerSecurity(DirectoryControlCollection controls)
   at ExampleApp.Authentication.Ldap.LdapConnectionFactory.CreateBoundConnection(String userDn, String plainPassword) in /build/src/ExampleApp.Ldap/Authentication/Ldap/LdapConnectionFactory.cs:line 102

without installing I get the following:

System.TypeInitializationException: The type initializer for 'Ldap' threw an exception.    at Interop.Ldap.ldap_initialize(IntPtr& ld, String uri)
   at System.DirectoryServices.Protocols.ConnectionHandle..ctor()
   at System.DirectoryServices.Protocols.LdapConnection.InternalInitConnectionHandle()
   at System.DirectoryServices.Protocols.LdapConnection.Init()
   at System.DirectoryServices.Protocols.LdapConnection..ctor(LdapDirectoryIdentifier identifier, NetworkCredential credential, AuthType authType)
   at System.DirectoryServices.Protocols.LdapConnection..ctor(LdapDirectoryIdentifier identifier)
   at ExampleApp.Authentication.Ldap.LdapConnectionFactory.CreateBoundConnection(String userDn, String plainPassword) in /build/src/ExampleApp.Ldap/Authentication/Ldap/LdapConnectionFactory.cs:line 85

Regression?

Works with System.DirectoryServices.Protocols 7.0.1

Known Workarounds

Using v 7.0.1

Configuration

• MacOs Sonoma 14.5 (23F79) on arm64 with .Net v8.0.403
• Docker Debian mcr.microsoft.com/dotnet/aspnet:8.0-bookworm-slim, running as x64 on MacOs arm64 Host
• System.DirectoryServices.Protocols 8.0.0

Other information

• Similar issue: StartTransportLayerSecurity(...) method throw an exception when using System.DirectoryServices.Protocols in version 8.0.0 on Linux #96988
• Discussion about docker image and problems with libldap (but not using aspnet image).: LDAP error with .NET 8 on docker: sdk:8.0 vs runtime:8.0 ? #98990

[steveharter]

This looks similar to #108448, but the current implementation should pick up libldap-2.4.so.2, libldap-2.5.so.0 and libldap-2.6.so.0 and it look like you've tried 2.5-0 and variants.

[steveharter]

It works as soon, as I use version 7.0.1 instead of 8.0.0.

There was a change in v8 that started to probe for 2.4, 2.5 and 2.6.

Previously in v7 it only looked for 2.4 (libldap-2.4.so.2), and I see you used symlinks to forward 2.5 to 2.4 which was necessary.

For the v8 case is it possible that these symlinks are pointing to an incorrect or missing entry? The symlinks shouldn't be necessary for v8 as 2.5 is now probed for.

[steveharter]

I suggest also looking at #69456

[markusTraber]

Thank you. I will look into this and get back to you here.