search

apache / airflow

Apache Airflow - A platform to programmatically author, schedule, and monitor workflows
https://airflow.apache.org/
Apache License 2.0
36.83k stars 14.25k forks source link

Container Image not trusting LDAP certifcates #32023

Closed ninjasftw closed 1 year ago

ninjasftw commented 1 year ago

Apache Airflow version

2.6.2

What happened

Setting up an Airflow instance which uses jumpcloud as its LDAP backend.

The underlying container(apache/airflow:latest-python3.10) does not trust the CA certficate at ldap.jumpcloud.com:636 even though it is a valid certificate

The webserver logs show [2023-06-19T20:51:49.899+0000] {manager.py:1236} ERROR - {'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': [], 'info': '(unknown error code)'} digging into the underlying ldap / openssl functions seem to be where the issue is as you can trigger the error with 

> ldapsearch -d 9 -H 'ldaps://ldap.jumpcloud.com:636'
ldap_url_parse_ext(ldaps://ldap.jumpcloud.com:636)
ldap_create
ldap_url_parse_ext(ldaps://ldap.jumpcloud.com:636/??base)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.jumpcloud.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 3.70.144.176:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect: 
connect success
**TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).**
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
    additional info: (unknown error code)

The issue is not Airflow specific as such however its possible something in the Docker build process for the airflow image is doing something with the allowed ciphers or something

The container image is built from Debian 11 and a fresh Debian 11 instance does not show this issue.

as a workaround i've added a /etc/ldap/ldap.conf file into the container with the contents TLS_REQCERT never

and that allows the ldapsearch command and webserver to talk to the LDAP instance

What you think should happen instead

The ldap connection should be established.

Using a Debian11 container ldap search returns

ldapsearch -d 9 -H 'ldaps://ldap.jumpcloud.com:636'
ldap_url_parse_ext(ldaps://ldap.jumpcloud.com:636)
ldap_create
ldap_url_parse_ext(ldaps://ldap.jumpcloud.com:636/??base)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.jumpcloud.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 3.70.144.176:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect: 
connect success

How to reproduce

docker run --rm -it apache/airflow:2.6.0-python3.10 bash

ldapsearch -d 9 -H 'ldaps://ldap.jumpcloud.com:636'

Operating System

Debian GNU/Linux 11 (bullseye)

Versions of Apache Airflow Providers

simply the base container image

Deployment

Docker-Compose

Deployment details

No response

Anything else

No response

Are you willing to submit PR?

Code of Conduct

boring-cyborg[bot] commented 1 year ago

Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.