Setting up an Airflow instance which uses jumpcloud as its LDAP backend.
The underlying container(apache/airflow:latest-python3.10) does not trust the CA certficate at ldap.jumpcloud.com:636 even though it is a valid certificate
The webserver logs show
[2023-06-19T20:51:49.899+0000] {manager.py:1236} ERROR - {'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': [], 'info': '(unknown error code)'}
digging into the underlying ldap / openssl functions seem to be where the issue is as you can trigger the error with
The issue is not Airflow specific as such however its possible something in the Docker build process for the airflow image is doing something with the allowed ciphers or something
The container image is built from Debian 11 and a fresh Debian 11 instance does not show this issue.
as a workaround i've added a /etc/ldap/ldap.conf file into the container with the contents
TLS_REQCERT never
and that allows the ldapsearch command and webserver to talk to the LDAP instance
Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.
Apache Airflow version
2.6.2
What happened
Setting up an Airflow instance which uses jumpcloud as its LDAP backend.
The underlying container(apache/airflow:latest-python3.10) does not trust the CA certficate at ldap.jumpcloud.com:636 even though it is a valid certificate
The webserver logs show
[2023-06-19T20:51:49.899+0000] {manager.py:1236} ERROR - {'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': [], 'info': '(unknown error code)'}
digging into the underlying ldap / openssl functions seem to be where the issue is as you can trigger the error withThe issue is not Airflow specific as such however its possible something in the Docker build process for the airflow image is doing something with the allowed ciphers or something
The container image is built from Debian 11 and a fresh Debian 11 instance does not show this issue.
as a workaround i've added a /etc/ldap/ldap.conf file into the container with the contents
TLS_REQCERT never
and that allows the ldapsearch command and webserver to talk to the LDAP instance
What you think should happen instead
The ldap connection should be established.
Using a Debian11 container ldap search returns
How to reproduce
docker run --rm -it apache/airflow:2.6.0-python3.10 bash
ldapsearch -d 9 -H 'ldaps://ldap.jumpcloud.com:636'
Operating System
Debian GNU/Linux 11 (bullseye)
Versions of Apache Airflow Providers
simply the base container image
Deployment
Docker-Compose
Deployment details
No response
Anything else
No response
Are you willing to submit PR?
Code of Conduct