LDAP works but after 5 minutes queries throw "The LDAP server is unavailable "

[mrhockeymonkey]

Description

I am trying to use the Microsoft.AspNetCore.Authentication.Negotiate library in an asp.net application that runs on Debian. The setup works perfectly initially but after about 5 minutes any subsequent requests throw

System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
    at System.DirectoryServices.Protocols.LdapConnection.ConstructResponseAsync(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut, Boolean sync)
    at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
    at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request)

This was hard to test locally so I replicated the issue in a background service to test the behavior. What I see is initially a query works, then again after 5 minutes it still works, but then after 6 minutes it throws

2023-08-04 12:55:25.660 [INF] Some.Api.BackgroundServices.LdapBackgroundService : scottm is: CN=Scott Matthews,OU=ProductionDev,OU=Development,OU=Standard,OU=Users,OU=Root,DC=domain,DC=net, waiting 5 mins
2023-08-04 12:55:25.767 [INF] Microsoft.Hosting.Lifetime : Now listening on: http://[::]:5000
2023-08-04 12:55:25.767 [INF] Microsoft.Hosting.Lifetime : Application started. Press Ctrl+C to shut down.
2023-08-04 12:55:25.767 [INF] Microsoft.Hosting.Lifetime : Hosting environment: Development
2023-08-04 12:55:25.767 [INF] Microsoft.Hosting.Lifetime : Content root path: /app
2023-08-04 13:00:25.707 [INF] Some.Api.BackgroundServices.LdapBackgroundService : scottm is: CN=Scott Matthews,OU=ProductionDev,OU=Development,OU=Standard,OU=Users,OU=Root,DC=domain,DC=net, waiting 6 mins
2023-08-04 13:06:25.726 [ERR] Microsoft.Extensions.Hosting.Internal.Host : BackgroundService failed
System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
   at System.DirectoryServices.Protocols.LdapConnection.ConstructResponseAsync(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut, Boolean sync)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request)
   at Some.Api.BackgroundServices.LdapBackgroundService.ExecuteAsync(CancellationToken stoppingToken) in /src/Some.Api/BackgroundServices/LdapBackgroundService.cs:line 36
   at Microsoft.Extensions.Hosting.Internal.Host.TryExecuteBackgroundServiceAsync(BackgroundService backgroundService)

I have tried customizing the LdapConnection with AutoReconnect

ldapConnection.SessionOptions.AutoReconnect = true;

which immediately throws

Unhandled exception. System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.

I also tried setting "connectionless"

new LdapDirectoryIdentifier("dc.domani.net", fullyQualifiedDnsHostName: true, connectionless: true),

which immediately throws

Unhandled exception. System.DirectoryServices.Protocols.LdapException: A bad parameter was passed to a routine.

If someone could fill me in on how I could get this to work for the lifetime of the app I would be grateful, Happy to provide any additional details as required.

Reproduction Steps

using System.DirectoryServices.Protocols;
using System.Net;

namespace Some.Api.BackgroundServices;

public class LdapBackgroundService : BackgroundService
{
    private readonly ILogger<LdapBackgroundService> _logger;

    public LdapBackgroundService(ILogger<LdapBackgroundService> logger)
    {
        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
    }
    
    protected override async Task ExecuteAsync(CancellationToken stoppingToken)
    {
        var ldapConnection = new LdapConnection(
            new LdapDirectoryIdentifier("dc.domain.net"),
            //new LdapDirectoryIdentifier("dc.domain.net", fullyQualifiedDnsHostName: true, connectionless: true), // immediately throws:  A bad parameter was passed to a routine
            new NetworkCredential(@"DOMAIN\user", "password"), AuthType.Basic);
        ldapConnection.SessionOptions.ReferralChasing = ReferralChasingOptions.None;
        //ldapConnection.SessionOptions.AutoReconnect = true; // immediately throws: The LDAP server is unavailable.
        
        ldapConnection.Bind();

        var t = TimeSpan.FromMinutes(5);

        while (!stoppingToken.IsCancellationRequested)
        {
            string searchFilter = String.Format("(&(objectClass=user)(SamAccountName={0}))", "scottm");
            string userStore = "OU=ProductionDev,OU=Development,OU=Standard,OU=Users,OU=Root,DC=domain,DC=net";

            SearchRequest searchRequest = new SearchRequest
            (userStore,
                searchFilter,
                System.DirectoryServices.Protocols.SearchScope.Subtree,
                new string[] { "DistinguishedName" });

            var response = (SearchResponse)ldapConnection.SendRequest(searchRequest);
            string userDN = response.Entries[0].Attributes["DistinguishedName"][0].ToString();

            _logger.LogWarning($"scottm is: {userDN}, waiting {t.TotalMinutes} mins");

            
            await Task.Delay(t);
            t = t.Add(TimeSpan.FromMinutes(1));
        }
    }
}

Note this is running in docker on aspnet:7.0-bullseye-slim
with these packages installed

apt-get install -y krb5-user libldap-2.4-2

Expected behavior

The ldap connection should always work for any request coming into asp.net (or in the case of this reproduction for every iteration of the loop)

[INF] Some.Api.BackgroundServices.LdapBackgroundService : scottm is: CN=Scott Matthews,OU=ProductionDev,OU=Development,OU=Standard,OU=Users,OU=Root,DC=domain,DC=net, waiting 5 mins
[INF] Some.Api.BackgroundServices.LdapBackgroundService : scottm is: CN=Scott Matthews,OU=ProductionDev,OU=Development,OU=Standard,OU=Users,OU=Root,DC=domain,DC=net, waiting 6 mins
[INF] Some.Api.BackgroundServices.LdapBackgroundService : scottm is: CN=Scott Matthews,OU=ProductionDev,OU=Development,OU=Standard,OU=Users,OU=Root,DC=domain,DC=net, waiting 7 mins
[INF] Some.Api.BackgroundServices.LdapBackgroundService : scottm is: CN=Scott Matthews,OU=ProductionDev,OU=Development,OU=Standard,OU=Users,OU=Root,DC=domain,DC=net, waiting 8 mins
...
[INF] Some.Api.BackgroundServices.LdapBackgroundService : scottm is: CN=Scott Matthews,OU=ProductionDev,OU=Development,OU=Standard,OU=Users,OU=Root,DC=domain,DC=net, waiting 60 mins

Actual behavior

2023-08-04 12:55:25.660 [INF] Some.Api.BackgroundServices.LdapBackgroundService : scottm is: CN=Scott Matthews,OU=ProductionDev,OU=Development,OU=Standard,OU=Users,OU=Root,DC=domain,DC=net, waiting 5 mins
2023-08-04 12:55:25.767 [INF] Microsoft.Hosting.Lifetime : Now listening on: http://[::]:5000
2023-08-04 12:55:25.767 [INF] Microsoft.Hosting.Lifetime : Application started. Press Ctrl+C to shut down.
2023-08-04 12:55:25.767 [INF] Microsoft.Hosting.Lifetime : Hosting environment: Development
2023-08-04 12:55:25.767 [INF] Microsoft.Hosting.Lifetime : Content root path: /app
2023-08-04 13:00:25.707 [INF] Some.Api.BackgroundServices.LdapBackgroundService : scottm is: CN=Scott Matthews,OU=ProductionDev,OU=Development,OU=Standard,OU=Users,OU=Root,DC=domain,DC=net, waiting 6 mins
2023-08-04 13:06:25.726 [ERR] Microsoft.Extensions.Hosting.Internal.Host : BackgroundService failed
System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
   at System.DirectoryServices.Protocols.LdapConnection.ConstructResponseAsync(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut, Boolean sync)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request)
   at Some.Api.BackgroundServices.LdapBackgroundService.ExecuteAsync(CancellationToken stoppingToken) in /src/Some.Api/BackgroundServices/LdapBackgroundService.cs:line 36
   at Microsoft.Extensions.Hosting.Internal.Host.TryExecuteBackgroundServiceAsync(BackgroundService backgroundService)

Regression?

No response

Known Workarounds

No response

Configuration

#cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian

#  dotnet --list-runtimes
Microsoft.AspNetCore.App 7.0.3 [/usr/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.NETCore.App 7.0.3 [/usr/share/dotnet/shared/Microsoft.NETCore.App]

Other information

Similar issues here was closed due to inactivity dotnet/aspnetcore#49105

[ghost]

Tagging subscribers to this area: @dotnet/area-system-directoryservices, @jay98014
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Description

I am trying to use the Microsoft.AspNetCore.Authentication.Negotiate library in an asp.net application that runs on Debian. The setup works perfectly initially but after about 5 minutes any subsequent requests throw

System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
    at System.DirectoryServices.Protocols.LdapConnection.ConstructResponseAsync(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut, Boolean sync)
    at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
    at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request)

This was hard to test locally so I replicated the issue in a background service to test the behavior. What I see is initially a query works, then again after 5 minutes it still works, but then after 6 minutes it throws

2023-08-04 12:55:25.660 [INF] Some.Api.BackgroundServices.LdapBackgroundService : scottm is: CN=Scott Matthews,OU=ProductionDev,OU=Development,OU=Standard,OU=Users,OU=Root,DC=domain,DC=net, waiting 5 mins
2023-08-04 12:55:25.767 [INF] Microsoft.Hosting.Lifetime : Now listening on: http://[::]:5000
2023-08-04 12:55:25.767 [INF] Microsoft.Hosting.Lifetime : Application started. Press Ctrl+C to shut down.
2023-08-04 12:55:25.767 [INF] Microsoft.Hosting.Lifetime : Hosting environment: Development
2023-08-04 12:55:25.767 [INF] Microsoft.Hosting.Lifetime : Content root path: /app
2023-08-04 13:00:25.707 [INF] Some.Api.BackgroundServices.LdapBackgroundService : scottm is: CN=Scott Matthews,OU=ProductionDev,OU=Development,OU=Standard,OU=Users,OU=Root,DC=domain,DC=net, waiting 6 mins
2023-08-04 13:06:25.726 [ERR] Microsoft.Extensions.Hosting.Internal.Host : BackgroundService failed
System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
   at System.DirectoryServices.Protocols.LdapConnection.ConstructResponseAsync(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut, Boolean sync)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request)
   at Some.Api.BackgroundServices.LdapBackgroundService.ExecuteAsync(CancellationToken stoppingToken) in /src/Some.Api/BackgroundServices/LdapBackgroundService.cs:line 36
   at Microsoft.Extensions.Hosting.Internal.Host.TryExecuteBackgroundServiceAsync(BackgroundService backgroundService)

I have tried customizing the LdapConnection with AutoReconnect

ldapConnection.SessionOptions.AutoReconnect = true;

which immediately throws

Unhandled exception. System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.

I also tried setting "connectionless"

new LdapDirectoryIdentifier("dc.domani.net", fullyQualifiedDnsHostName: true, connectionless: true),

which immediately throws

Unhandled exception. System.DirectoryServices.Protocols.LdapException: A bad parameter was passed to a routine.

If someone could fill me in on how I could get this to work for the lifetime of the app I would be grateful, Happy to provide any additional details as required.

Reproduction Steps

using System.DirectoryServices.Protocols;
using System.Net;

namespace Some.Api.BackgroundServices;

public class LdapBackgroundService : BackgroundService
{
    private readonly ILogger<LdapBackgroundService> _logger;

    public LdapBackgroundService(ILogger<LdapBackgroundService> logger)
    {
        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
    }
    
    protected override async Task ExecuteAsync(CancellationToken stoppingToken)
    {
        var ldapConnection = new LdapConnection(
            new LdapDirectoryIdentifier("dc.domain.net"),
            //new LdapDirectoryIdentifier("dc.domain.net", fullyQualifiedDnsHostName: true, connectionless: true), // immediately throws:  A bad parameter was passed to a routine
            new NetworkCredential(@"DOMAIN\user", "password"), AuthType.Basic);
        ldapConnection.SessionOptions.ReferralChasing = ReferralChasingOptions.None;
        //ldapConnection.SessionOptions.AutoReconnect = true; // immediately throws: The LDAP server is unavailable.
        
        ldapConnection.Bind();

        var t = TimeSpan.FromMinutes(5);

        while (!stoppingToken.IsCancellationRequested)
        {
            string searchFilter = String.Format("(&(objectClass=user)(SamAccountName={0}))", "scottm");
            string userStore = "OU=ProductionDev,OU=Development,OU=Standard,OU=Users,OU=Root,DC=domain,DC=net";

            SearchRequest searchRequest = new SearchRequest
            (userStore,
                searchFilter,
                System.DirectoryServices.Protocols.SearchScope.Subtree,
                new string[] { "DistinguishedName" });

            var response = (SearchResponse)ldapConnection.SendRequest(searchRequest);
            string userDN = response.Entries[0].Attributes["DistinguishedName"][0].ToString();

            _logger.LogWarning($"scottm is: {userDN}, waiting {t.TotalMinutes} mins");

            
            await Task.Delay(t);
            t = t.Add(TimeSpan.FromMinutes(1));
        }
    }
}

Note this is running in docker on aspnet:7.0-bullseye-slim
with these packages installed

apt-get install -y krb5-user libldap-2.4-2

Expected behavior

The ldap connection should always work for any request coming into asp.net (or in the case of this reproduction for every iteration of the loop)

[INF] Some.Api.BackgroundServices.LdapBackgroundService : scottm is: CN=Scott Matthews,OU=ProductionDev,OU=Development,OU=Standard,OU=Users,OU=Root,DC=domain,DC=net, waiting 5 mins
[INF] Some.Api.BackgroundServices.LdapBackgroundService : scottm is: CN=Scott Matthews,OU=ProductionDev,OU=Development,OU=Standard,OU=Users,OU=Root,DC=domain,DC=net, waiting 6 mins
[INF] Some.Api.BackgroundServices.LdapBackgroundService : scottm is: CN=Scott Matthews,OU=ProductionDev,OU=Development,OU=Standard,OU=Users,OU=Root,DC=domain,DC=net, waiting 7 mins
[INF] Some.Api.BackgroundServices.LdapBackgroundService : scottm is: CN=Scott Matthews,OU=ProductionDev,OU=Development,OU=Standard,OU=Users,OU=Root,DC=domain,DC=net, waiting 8 mins
...
[INF] Some.Api.BackgroundServices.LdapBackgroundService : scottm is: CN=Scott Matthews,OU=ProductionDev,OU=Development,OU=Standard,OU=Users,OU=Root,DC=domain,DC=net, waiting 60 mins

Actual behavior

2023-08-04 12:55:25.660 [INF] Some.Api.BackgroundServices.LdapBackgroundService : scottm is: CN=Scott Matthews,OU=ProductionDev,OU=Development,OU=Standard,OU=Users,OU=Root,DC=domain,DC=net, waiting 5 mins
2023-08-04 12:55:25.767 [INF] Microsoft.Hosting.Lifetime : Now listening on: http://[::]:5000
2023-08-04 12:55:25.767 [INF] Microsoft.Hosting.Lifetime : Application started. Press Ctrl+C to shut down.
2023-08-04 12:55:25.767 [INF] Microsoft.Hosting.Lifetime : Hosting environment: Development
2023-08-04 12:55:25.767 [INF] Microsoft.Hosting.Lifetime : Content root path: /app
2023-08-04 13:00:25.707 [INF] Some.Api.BackgroundServices.LdapBackgroundService : scottm is: CN=Scott Matthews,OU=ProductionDev,OU=Development,OU=Standard,OU=Users,OU=Root,DC=domain,DC=net, waiting 6 mins
2023-08-04 13:06:25.726 [ERR] Microsoft.Extensions.Hosting.Internal.Host : BackgroundService failed
System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
   at System.DirectoryServices.Protocols.LdapConnection.ConstructResponseAsync(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut, Boolean sync)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request)
   at Some.Api.BackgroundServices.LdapBackgroundService.ExecuteAsync(CancellationToken stoppingToken) in /src/Some.Api/BackgroundServices/LdapBackgroundService.cs:line 36
   at Microsoft.Extensions.Hosting.Internal.Host.TryExecuteBackgroundServiceAsync(BackgroundService backgroundService)

Regression?

No response

Known Workarounds

No response

Configuration

#cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian

#  dotnet --list-runtimes
Microsoft.AspNetCore.App 7.0.3 [/usr/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.NETCore.App 7.0.3 [/usr/share/dotnet/shared/Microsoft.NETCore.App]

Other information

Similar issues here was closed due to inactivity dotnet/aspnetcore#49105

Author:	mrhockeymonkey
Assignees:	-
Labels:	area-System.DirectoryServices
Milestone:	-

[mrhockeymonkey]

Just for context, Here is where Bind is called in the Microsoft.AspNetCore.Authentication.Negotiate library. It will only ever be invoked once which suggests the connection should either persist or recover.

https://github.com/dotnet/aspnetcore/blob/cf12d968eeaba87c9ebbd53e9420f3b016b0ff21/src/Security/Authentication/Negotiate/src/PostConfigureNegotiateOptions.cs#L90C17-L90C17

[steveharter]

Was Debian the only environment this was tested\failed on? Have any others been tried? Trying to narrow down the scope a bit.

[ghost]

This issue has been marked needs-author-action and may be missing some important information.

[mrhockeymonkey]

I just tried the same test on aspnet:7.0-bookworm-slim but it looks like only libldap-2.5-0 is available which results in this error

 Unhandled exception. System.TypeInitializationException: The type initializer for 'Ldap' threw an exception.
  ---> System.DllNotFoundException: Unable to load shared library 'libldap-2.4.so.2' or one of its dependencies. In order to help diagnose loading problems, consider using a tool like strace. If you're using gl
ibc, consider setting the LD_DEBUG environment variable:
 /app/runtimes/linux-x64/native/libldap-2.4.so.2.so: cannot open shared object file: No such file or directory
 /usr/share/dotnet/shared/Microsoft.NETCore.App/7.0.9/libldap-2.4.so.2.so: cannot open shared object file: No such file or directory
 /app/runtimes/linux/lib/net7.0/libldap-2.4.so.2.so: cannot open shared object file: No such file or directory
 /app/runtimes/linux-x64/native/liblibldap-2.4.so.2.so: cannot open shared object file: No such file or directory
 /usr/share/dotnet/shared/Microsoft.NETCore.App/7.0.9/liblibldap-2.4.so.2.so: cannot open shared object file: No such file or directory
 /app/runtimes/linux/lib/net7.0/liblibldap-2.4.so.2.so: cannot open shared object file: No such file or directory
 /app/runtimes/linux-x64/native/libldap-2.4.so.2: cannot open shared object file: No such file or directory
 /usr/share/dotnet/shared/Microsoft.NETCore.App/7.0.9/libldap-2.4.so.2: cannot open shared object file: No such file or directory
 /app/runtimes/linux/lib/net7.0/libldap-2.4.so.2: cannot open shared object file: No such file or directory
 /app/runtimes/linux-x64/native/liblibldap-2.4.so.2: cannot open shared object file: No such file or directory
 /usr/share/dotnet/shared/Microsoft.NETCore.App/7.0.9/liblibldap-2.4.so.2: cannot open shared object file: No such file or directory
 /app/runtimes/linux/lib/net7.0/liblibldap-2.4.so.2: cannot open shared object file: No such file or directory
 
    at Interop.Ldap.<ldap_get_option_int>g____PInvoke|7_0(IntPtr ldapHandle, LdapOption option, Int32* outValue)
    at Interop.Ldap.ldap_get_option_int(IntPtr ldapHandle, LdapOption option, Int32& outValue)
    at Interop.Ldap..cctor()
    --- End of inner exception stack trace ---

This I imagine is expected. I will see If I can make a Dockerfile for another distro

[mrhockeymonkey]

Looking in to building on alpine it seems that the only docker images available wont be able to install the required version of ldap. only 2.6+ is available

https://pkgs.alpinelinux.org/packages?name=libldap&branch=v3.17&repo=&arch=&maintainer=

likewise with ubuntu only 2.5-0 is available

# apt-cache madison libldap-2.5-0
libldap-2.5-0 | 2.5.15+dfsg-0ubuntu0.22.04.1 | https://repo jammy-updates/main amd64 Packages
libldap-2.5-0 | 2.5.11+dfsg-1~exp1ubuntu3 | https://repo jammy/main amd64 Packages
# apt-cache madison libldap-2.4-2
#

[buyaa-n]

I just tried the same test on aspnet:7.0-bookworm-slim but it looks like only libldap-2.5-0 is available which results in this error

@mrhockeymonkey looks your issue is related to #69456 which we resolved recently, the fix will be shipped in .NET 8, there is also workarounds you can find from the issue.

Closing this issue as dup of #69456

[mrhockeymonkey]

Well that version issue isn't the issue I originally raised... that was just some related test to narrow down the problem.

But I am happy to wait for a .NET 8 docker image and try my original problem (connection timing out and not being re-established) out again to see what happens. I can always reopen this is the issue persists.

[buyaa-n]

The original issue you raised doesn't look like directly related to runtime, thanks for narrowing down the problem. Yes, please reopen the issue or file a new issue with your findings if #69456 did not fix your original issue.