[bitnami/matomo] Minideb image used for matomo is buggy on the LDAPS libs

[w4rell]

Name and Version

bitnami/matomo:4.15.0-debian-11-r20

What architecture are you using?

amd64

What steps will reproduce the bug?

I found this bug trying desperately to configure the matomo ldap plugin...

Pull your container through docker-compose and up it.

$ docker exec -it -u root matomo bash
apt update
apt install ldap-utils
ldapsearch -x -W -D "cn=ldap.discover,ou=users,dc=domain,dc=net" -H ldaps://ldap.domain.net:636 -b dc=domain,dc=net

What is the expected behavior?

Should return the content of the LDAPS server. When I try on another image like bitnami/openldap I got what I should have :

[....]
# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 4

What do you see instead?

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Additional information

When I try an LDAP connection, everything is working properly, only LDAPS seems broken, I saw that the libraries on this minideb image are way older than on a newer os... And everywhere else I tried this command, it's working fine.

[javsalgar]

Hi,

So, if I understood correctly, the issue is not happening in other openldap images, only on bitnami/openldap, right?

[w4rell]

No, sorry if I wasn't clear! I used another bitnami image to try the same command and to find if this issue is common to every image. The issue is on the matomo container only, it works on the openldap one 😉 if you want to create the same lab I'm using the bitnami/openldap image on another server behind traefik for the certificate.

[w4rell]

Is there any news ? I'm looking on my side to find a way to correct this issue but nothing found for now... Thanks.

[mdhont]

Bitnami Matomo does not come with Openldap installed, I have created a task for adding it. We will update this thread with further information.

[w4rell]

We don't need to install openldap on matomo, only update the minideb os whom matomo image is based on, sorry if I'm not very clear. I already had the openldap image before any attempt to connect to ldaps on our ldaps server. I tried the command to connect to but it doesn't work on the matomo image but yes on the openldap one.

Thanks for your help!

On Wed, 16 Aug 2023, 14:31 Michiel, @.***> wrote:

Bitnami Matomo does not come with Openldap installed, I have created a task for adding it. We will update this thread with further information.

— Reply to this email directly, view it on GitHub https://github.com/bitnami/containers/issues/43213#issuecomment-1680516829, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACXJIZB3KEC6GZCNDXITBWLXVS4QXANCNFSM6AAAAAA3A6SJBY . You are receiving this because you authored the thread.Message ID: @.***>

[mdhont]

We don't need to install openldap on matomo, only update the minideb os whom matomo image is based on, sorry if I'm not very clear.

It's not possible to do that, the Minideb image is built specifically to be used as a base image for containers, and only the necessary components are pre-configured to work with the application. The image also contains any security updates released more than 24 hours ago.

[w4rell]

So you assume LDAPS will never work on your matomo image... Too bad.

On Wed, 23 Aug 2023, 18:54 Michiel, @.***> wrote:

We don't need to install openldap on matomo, only update the minideb os whom matomo image is based on, sorry if I'm not very clear.

It's not possible to do that, the Minideb https://github.com/bitnami/minideb image is built specifically to be used as a base image for containers, and only the necessary components are pre-configured to work with the application. The image also contains any security updates released more than 24 hours ago.

— Reply to this email directly, view it on GitHub https://github.com/bitnami/containers/issues/43213#issuecomment-1690308234, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACXJIZE5HUQTKKJXADJI7L3XWYYTDANCNFSM6AAAAAA3A6SJBY . You are receiving this because you authored the thread.Message ID: @.***>

[mdhont]

As I've replied before, I have created an internal task for adding support for it.

[aoterolorenzo]

Hi @w4rell,

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

is not a very verbose output in order to debug the issue. Could you attach the matomo logs to see if it could help?

In order to have configured TLS, I imagine you have provide your LDAP server with certificate and key files, and a CA used to sign it. In case the CA you used is self-signed, you would need to integrate it also to the matomo's container keyring in order to stablish connection between client and server. Could this be the case?

[aoterolorenzo]

This is the output I got at this point:

root@2a287b19b2c4:/# ldapsearch -x -W -D "cn=ldap.discover,ou=users,dc=domain,dc=net" -H ldaps://ldap.domain.net:1389 -b dc=domain,dc=net -d 255
ldap_url_parse_ext(ldaps://ldap.domain.net:1389)
ldap_create
ldap_url_parse_ext(ldaps://ldap.domain.net:1389/??base)
Enter LDAP Password: 
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.domain.net:1389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 172.24.0.3:1389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect: 
connect success
tls_write: want=373, written=373
  0000:  16 03 01 01 70 01 00 01  6c 03 03 7f 8b 19 56 1d   ....p...l.....V.  
  0010:  89 aa 4e f2 1a b7 48 37  81 c6 69 cd 2d 7a f3 62   ..N...H7..i.-z.b  
  0020:  2e 41 e2 93 fa 3b 49 73  df d4 99 20 7b 53 a1 d9   .A...;Is... {S..  
  0030:  8a 7e 83 59 c6 71 c2 26  c1 fb 67 60 d1 ed ea 90   .~.Y.q.&..g`....  
  0040:  2c a4 cb 44 c8 f7 60 2c  9e bc 67 26 00 3a 13 02   ,..D..`,..g&.:..  
  0050:  13 03 13 01 13 04 c0 2c  cc a9 c0 ad c0 0a c0 2b   .......,.......+  
  0060:  c0 ac c0 09 c0 30 cc a8  c0 14 c0 2f c0 13 00 9d   .....0...../....  
  0070:  c0 9d 00 35 00 9c c0 9c  00 2f 00 9f cc aa c0 9f   ...5...../......  
  0080:  00 39 00 9e c0 9e 00 33  01 00 00 e9 00 05 00 05   .9.....3........  
  0090:  01 00 00 00 00 00 0a 00  16 00 14 00 17 00 18 00   ................  
  00a0:  19 00 1d 00 1e 01 00 01  01 01 02 01 03 01 04 00   ................  
  00b0:  0b 00 02 01 00 00 0d 00  22 00 20 04 01 08 09 08   ........". .....  
  00c0:  04 04 03 08 07 05 01 08  0a 08 05 05 03 08 08 06   ................  
  00d0:  01 08 0b 08 06 06 03 02  01 02 03 00 16 00 00 00   ................  
  00e0:  17 00 00 00 23 00 00 00  33 00 6b 00 69 00 17 00   ....#...3.k.i...  
  00f0:  41 04 6c b3 12 93 2e 23  7e 5b d8 3b f2 d4 ee 76   A.l....#~[.;...v  
  0100:  47 36 f3 06 b3 9c a6 6e  f7 1b c1 8d d8 2c c2 f9   G6.....n.....,..  
  0110:  fa b6 3b 51 bb 12 fa 6b  0f ce b4 b9 c4 91 e5 05   ..;Q...k........  
  0120:  b3 24 97 e6 c8 ba 3d 4c  8c 06 de 38 e7 2d f5 07   .$....=L...8.-..  
  0130:  88 2e 00 1d 00 20 80 69  1c 12 65 20 56 c4 3b 6e   ..... .i..e V.;n  
  0140:  bf 3d 76 7f c8 73 5f cc  3f 61 7b 1a 60 86 60 f0   .=v..s_.?a{.`.`.  
  0150:  69 e6 0e a0 1e 07 00 2b  00 09 08 03 04 03 03 03   i......+........  
  0160:  02 03 01 ff 01 00 01 00  00 2d 00 03 02 01 00 00   .........-......  
  0170:  1c 00 02 40 01                                     ...@.             
tls_read: want=5, got=0

TLS: can't connect: The TLS connection was non-properly terminated..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

As expected, the TLS handshake is not being success, while there is indeed a success connection to the TLS socket (a bitnami/openldap container running with TLS)

[w4rell]

Hi, no, I'm using a openldap bitnami image for this job, behind a traefik which gives a certificates through let's encrypt.

Matomo logs are useless because they say exactly the same thing. Here it's an OS issue.

To replicate, I can give you my docker compose so you can create the same ldaps as mine and try the command I wrote earlier. On your computer it'll work but not on the container image.

Thanks for your help.

On Wed, 30 Aug 2023, 15:57 Alberto Otero, @.***> wrote:

This is the output I got at this point:

@.***:/# ldapsearch -x -W -D "cn=ldap.discover,ou=users,dc=domain,dc=net" -H ldaps://ldap.domain.net:1389 -b dc=domain,dc=net -d 255 ldap_url_parse_ext(ldaps://ldap.domain.net:1389) ldap_create ldap_url_parse_ext(ldaps://ldap.domain.net:1389/??base) Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.domain.net:1389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 172.24.0.3:1389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success tlswrite: want=373, written=373 0000: 16 03 01 01 70 01 00 01 6c 03 03 7f 8b 19 56 1d ....p...l.....V. 0010: 89 aa 4e f2 1a b7 48 37 81 c6 69 cd 2d 7a f3 62 ..N...H7..i.-z.b 0020: 2e 41 e2 93 fa 3b 49 73 df d4 99 20 7b 53 a1 d9 .A...;Is... {S.. 0030: 8a 7e 83 59 c6 71 c2 26 c1 fb 67 60 d1 ed ea 90 .~.Y.q.&..g.... 0040: 2c a4 cb 44 c8 f7 60 2c 9e bc 67 26 00 3a 13 02 ,..D..,..g&.:.. 0050: 13 03 13 01 13 04 c0 2c cc a9 c0 ad c0 0a c0 2b .......,.......+ 0060: c0 ac c0 09 c0 30 cc a8 c0 14 c0 2f c0 13 00 9d .....0...../.... 0070: c0 9d 00 35 00 9c c0 9c 00 2f 00 9f cc aa c0 9f ...5...../...... 0080: 00 39 00 9e c0 9e 00 33 01 00 00 e9 00 05 00 05 .9.....3........ 0090: 01 00 00 00 00 00 0a 00 16 00 14 00 17 00 18 00 ................ 00a0: 19 00 1d 00 1e 01 00 01 01 01 02 01 03 01 04 00 ................ 00b0: 0b 00 02 01 00 00 0d 00 22 00 20 04 01 08 09 08 ........". ..... 00c0: 04 04 03 08 07 05 01 08 0a 08 05 05 03 08 08 06 ................ 00d0: 01 08 0b 08 06 06 03 02 01 02 03 00 16 00 00 00 ................ 00e0: 17 00 00 00 23 00 00 00 33 00 6b 00 69 00 17 00 ....#...3.k.i... 00f0: 41 04 6c b3 12 93 2e 23 7e 5b d8 3b f2 d4 ee 76 A.l....#~[.;...v 0100: 47 36 f3 06 b3 9c a6 6e f7 1b c1 8d d8 2c c2 f9 G6.....n.....,.. 0110: fa b6 3b 51 bb 12 fa 6b 0f ce b4 b9 c4 91 e5 05 ..;Q...k........ 0120: b3 24 97 e6 c8 ba 3d 4c 8c 06 de 38 e7 2d f5 07 .$....=L...8.-.. 0130: 88 2e 00 1d 00 20 80 69 1c 12 65 20 56 c4 3b 6e ..... .i..e V.;n 0140: bf 3d 76 7f c8 73 5f cc 3f 61 7b 1a 60 86 60 f0 .=v..s.?a{... 0150: 69 e6 0e a0 1e 07 00 2b 00 09 08 03 04 03 03 03 i......+........ 0160: 02 03 01 ff 01 00 01 00 00 2d 00 03 02 01 00 00 .........-...... 0170: 1c 00 02 40 01 ...@. tls_read: want=5, got=0

TLS: can't connect: The TLS connection was non-properly terminated.. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

As expected, the TLS handshake is not being success, while there is indeed a success connection to the TLS socket (a bitnami/openldap container running with TLS)

— Reply to this email directly, view it on GitHub https://github.com/bitnami/containers/issues/43213#issuecomment-1699241483, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACXJIZCOXSRT4KKLUOPUHBLXX5BEFANCNFSM6AAAAAA3A6SJBY . You are receiving this because you were mentioned.Message ID: @.***>

[aoterolorenzo]

Sure, you can provide the composed scenario to try to replicate the issue.

Also, executing ldapsearch with the -d 255 flag for increasing the log level would return a little more information to check if it is also a handshake error in your case.

I understand that letsencrypt CA is included in linux ca-certificates package?

[github-actions[bot]]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[github-actions[bot]]

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.