System.DirectoryServices.Protocols.LdapConnection Methods in .NET 6 Linux

[umerkle]

Description

Hi!
I'm trying to establish a connection to an OpenLDAP Server.
When i run my app locally on Windows, it connects fine on Port 636 (SSL).
But when i run in Linux (Docker image: mcr.microsoft.com/dotnet/aspnet:6.0), i get the following error:

System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable

When i try to return true on VerifyServerCertificate, i get the same error, but without any reaction on the LDAP server. If i remove that line and let it check the certificate, i also get the message. On LDAP Server i see a sucessful try to initiate a TLS Session.

I also tried to use the Novell.Directory.Ldap.NETStandard package. But then i have the problem, to not being able to get more than 1000 records.

Reproduction Steps

Setup an ASP.Net 6 Web API

Add the following packages:

Try to connect to your LDAP Server (OpenLDAP) with:
`
var server = new LdapDirectoryIdentifier(ldapHost, port);
var credentials = new NetworkCredential(user, password);

            var con = new LdapConnection(server);
            if (port == 636){
                con.SessionOptions.ProtocolVersion = 3;
                con.SessionOptions.SecureSocketLayer = true;
                con.SessionOptions.VerifyServerCertificate += delegate { return true; };
            }
            con.AuthType = AuthType.Basic;
            con.Bind(credentials);

`
Note: I tried to return true on VerifyServerCertificate because i suspected the certificate to be not accepted. Works fine under Windows, but not in Linux.

Build the api with
dotnet publish -c Release -o alpine-publish -r linux-x64 --self-contained true -p:PublishTrimmed=true -p:PublishSingleFile=true

Build the container with this Dockerfile
`
FROM mcr.microsoft.com/dotnet/aspnet:6.0 AS base
WORKDIR /app
EXPOSE 5001
EXPOSE 5000

ENV ASPNETCORE_URLS=http://+:5001

RUN apt-get update
&& apt-get install -y --no-install-recommends libldap-2.4-2
&& apt-get install -y --no-install-recommends libldap-common
&& rm -rf /var/lib/apt/lists/*

RUN adduser -u 5678 --disabled-password --gecos "" appuser && chown -R appuser /app
USER appuser

COPY "./alpine-publish/" /app/

ENTRYPOINT ["./Ldap.Adapter.Backend.Service"]
`

Expected behavior

Successful connection to the server

Actual behavior

On trying to Bind, i get:

Error: System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable. at System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential , Boolean ) at System.DirectoryServices.Protocols.LdapConnection.Bind(NetworkCredential )

Regression?

No response

Known Workarounds

No response

Configuration

Version of .NET 6 (from docker image mcr.microsoft.com/dotnet/aspnet:6.0)
Architecture x64

Other information

No response

[ghost]

Tagging subscribers to this area: @dotnet/area-system-directoryservices, @jay98014
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Description

Hi!
I'm trying to establish a connection to an OpenLDAP Server.
When i run my app locally on Windows, it connects fine on Port 636 (SSL).
But when i run in Linux (Docker image: mcr.microsoft.com/dotnet/aspnet:6.0), i get the following error:

System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable

When i try to return true on VerifyServerCertificate, i get the same error, but without any reaction on the LDAP server. If i remove that line and let it check the certificate, i also get the message. On LDAP Server i see a sucessful try to initiate a TLS Session.

I also tried to use the Novell.Directory.Ldap.NETStandard package. But then i have the problem, to not being able to get more than 1000 records.

Reproduction Steps

Setup an ASP.Net 6 Web API

Add the following packages:

Try to connect to your LDAP Server (OpenLDAP) with:
`
var server = new LdapDirectoryIdentifier(ldapHost, port);
var credentials = new NetworkCredential(user, password);

            con = new LdapConnection(server);
            if (port == 636){
                con.SessionOptions.ProtocolVersion = 3;
                con.SessionOptions.SecureSocketLayer = true;
                con.SessionOptions.VerifyServerCertificate += delegate { return true; };
            }
            con.AuthType = AuthType.Basic;
            con.Bind(credentials);

`
Note: I tried to return true on VerifyServerCertificate because i suspected the certificate to be not accepted. Works fine under Windows, but not in Linux.

Build the api with
dotnet publish -c Release -o alpine-publish -r linux-x64 --self-contained true -p:PublishTrimmed=true -p:PublishSingleFile=true

Build the container with this Dockerfile
`
FROM mcr.microsoft.com/dotnet/aspnet:6.0 AS base
WORKDIR /app
EXPOSE 5001
EXPOSE 5000

ENV ASPNETCORE_URLS=http://+:5001

RUN apt-get update
&& apt-get install -y --no-install-recommends libldap-2.4-2
&& apt-get install -y --no-install-recommends libldap-common
&& rm -rf /var/lib/apt/lists/*

Creates a non-root user with an explicit UID and adds permission to access the /app folder

For more info, please refer to https://aka.ms/vscode-docker-dotnet-configure-containers

RUN adduser -u 5678 --disabled-password --gecos "" appuser && chown -R appuser /app
USER appuser

COPY "./alpine-publish/" /app/

ENTRYPOINT ["./Ldap.Adapter.Backend.Service"]
`

Expected behavior

Successful connection to the server

Actual behavior

On trying to Bind, i get:

Error: System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable. at System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential , Boolean ) at System.DirectoryServices.Protocols.LdapConnection.Bind(NetworkCredential )

Regression?

No response

Known Workarounds

No response

Configuration

Version of .NET 6 (from docker image mcr.microsoft.com/dotnet/aspnet:6.0)
Architecture x64

Other information

No response

Author:	umerkle
Assignees:	-
Labels:	area-System.DirectoryServices
Milestone:	-

[hangy]

This might be the same as #60972

[umerkle]

@hangy
Yes, it looks a bit like that one.
But there, a solution was to use Version 5.0.0.
That didn't work for me.
With that, i had errors about an OpenLDAP library missing.
After providing that library, there were errors on SSL options not supported.

[umerkle]

Additional Infos from OpenLDAP Console:
`
635e2b7c conn=1001 fd=12 ACCEPT from IP=172.24.0.3:34332 (IP=0.0.0.0:636)

635e2b7c conn=1001 fd=12 TLS established tls_ssf=256 ssf=256

635e2b7c conn=1001 fd=12 closed (connection lost)
`

[umerkle]

Tried to run it in my WSL2 Ubuntu (22.04). But here it is not possible to install libldap-2.4.so.2.
And if i install libldap without version, it installs libldap-2.5.so.2 which seems not beeing recognized. It still complains in not finding libldap-2.4.so.2.

[joperezr]

@umerkle thank you for logging the issue. If the problem is as you mention that you don't have libldap 2.4 installed, then this would be a dupe of #69456. We are using that issue to track the work of fixing and adding support for newer versions of libldap. In the meantime, can you please try to see if the workaround listed there works for you? If so, we can close this as a dupe.

More specifically, the workaround proposed in that issue is to run:

ubuntu@w-ubuntu-2:~$ sudo ln -s /usr/lib/x86_64-linux-gnu/libldap-2.5.so.0 /usr/lib/x86_64-linux-gnu/libldap-2.4.so.2

ubuntu@w-ubuntu-2:/usr/lib/x86_64-linux-gnu$ ll | grep ldap
lrwxrwxrwx  1 root root       42 May 17 15:29 libldap-2.4.so.2 -> /usr/lib/x86_64-linux-gnu/libldap-2.5.so.0
lrwxrwxrwx  1 root root       20 Feb 16 12:15 libldap-2.5.so.0 -> libldap-2.5.so.0.1.6
-rw-r--r--  1 root root   376576 Feb 16 12:15 libldap-2.5.so.0.1.6

Which essentially creates a symbolic link for the library so that when someone requests 2.4 version then 2.5 will be used instead. It is not a pretty workaround (hence we want to fix that going forward by actually adding support for newer versions) but it should do the trick and unblock you. Let us know if that works so we can close this issue as a dupe.

[ghost]

This issue has been marked needs-author-action and may be missing some important information.

[umerkle]

@joperezr
Sorry for the late answer. I was totally down the rabbit hole on this.
I didn't try with libldap 2.5 anymore.
I switched back to the Novell LDAP package and brought that to a stage i can work with.

[joperezr]

Ok, I'll go ahead and close this issue as a dupe then. If you want to try DirectoryServices, we have validated that the above workaround works, and we do have that issue I pointed out currently tracked for 8.0 so hopefully that will be addressed in the near future.