search

docker-library / httpd

Docker Official Image packaging for Apache HTTP Server
https://httpd.apache.org
Apache License 2.0
310 stars 345 forks source link

Failed to access LDAP server over TLS #209

Closed YasuhiroABE closed 2 years ago

YasuhiroABE commented 2 years ago

Abstract My container based on version 2.4.51 failed to access our LDAP server via ldaps with the following error_log:

[Mon Dec 13 07:08:02.404750 2021] [authnz_ldap:info] [pid 8:tid 139901152511744] [client 192.168.100.4:52618] AH01695: auth_ldap authenticate: user user01 authentication failed; URI /secret/ [LDAP: ldap_simple_bind() failed][Can't contact LDAP server], referer: http://192.168.1.25:8080/

Before 2.4.50 don't have the issue as the libldap-common package was installed.

Root cause The missing /etc/ldap/ldap.conf file causes the missing "TLS_CACERT /etc/ssl/certs/ca-certificates.crt" configuration. Because of this, the server cannot access using ldaps:// URL.

Conclusion Is this an intended change in 2.4.51 or later?

wglambert commented 2 years ago

Interesting... note sure why libldap-common isn't in 2.4.51, the Dockerfile difference is just the version change https://github.com/docker-library/official-images/pull/11057

The Dockerfile installs libaprutil1-ldap which has libldap as a dependency, which then has libldap-common as its dependency.

$ docker run -it --rm httpd:2.4.51 bash
root@e6828c8b35ed:/usr/local/apache2# apt search libaprutil1-ldap
Sorting... Done
Full Text Search... Done
libaprutil1-ldap/now 1.6.1-5 amd64 [installed,local]
  Apache Portable Runtime Utility Library - LDAP Driver

root@e6828c8b35ed:/usr/local/apache2# apt search libldap         
Sorting... Done
Full Text Search... Done
libldap-2.4-2/now 2.4.57+dfsg-3 amd64 [installed,local]
  OpenLDAP libraries

root@e6828c8b35ed:/usr/local/apache2# apt search libldap-common
Sorting... Done
Full Text Search... Done

What 2.4.50 shows

$ docker run -it --rm httpd:2.4.50 bash
root@e8cbf9179ea8:/usr/local/apache2# apt search libaprutil1-ldap
Sorting... Done
Full Text Search... Done
libaprutil1-ldap/now 1.6.1-4 amd64 [installed,local]
  Apache Portable Runtime Utility Library - LDAP Driver

root@e8cbf9179ea8:/usr/local/apache2# apt search libldap         
Sorting... Done
Full Text Search... Done
libldap-2.4-2/now 2.4.47+dfsg-3+deb10u6 amd64 [installed,local]
  OpenLDAP libraries

libldap-common/now 2.4.47+dfsg-3+deb10u6 all [installed,local]
  OpenLDAP common files for libraries
tianon commented 2 years ago

This is very similar to https://github.com/docker-library/php/issues/1228 -- the difference (and the thing that caused the breakage) is that in Debian Bullseye, libldap-common is only in Recommends instead of Depends, so it no longer gets installed automatically (thanks to our overuse of --no-install-recommends).

In this case, it's core functionality being broken, so IMO we should probably add it persistently (perhaps with a link to this thread so we can more easily remember/chase down why we added it).

YasuhiroABE commented 2 years ago

Thank you for your prompt action!