Open
Description
Description
On MacOs Sonoma 14.5 (23F79) and Docker Debian mcr.microsoft.com/dotnet/aspnet:8.0-bookworm-slim I cannot connect to our Active Directory with System.DirectoryServices.Protocols 8.0.0. I get an exception when calling StartTransportLayerSecurity(null). It works as soon, as I use version 7.0.1 instead of 8.0.0.
Reproduction Steps
MacOs
MacOs Sonoma 14.5 (23F79)- AD Server with Start TLS on port 389
- Reference
System.DirectoryServices.Protocolspackage in version 8.0.0 in your project - Execute code
LdapDirectoryIdentifier ldi = new LdapDirectoryIdentifier(host, port);
LdapConnection cn = new LdapConnection(ldi);
cn.Credential = new NetworkCredential(userDn, plainPassword);
cn.AuthType = AuthType.Basic;
cn.SessionOptions.ProtocolVersion = 3;
cn.SessionOptions.StartTransportLayerSecurity(null);
cn.Bind();
Docker
- AD Server with Start TLS on port 389
- Reference
System.DirectoryServices.Protocolspackage in version 8.0.0 in your project - Implement code in project
LdapDirectoryIdentifier ldi = new LdapDirectoryIdentifier(host, port);
LdapConnection cn = new LdapConnection(ldi);
cn.Credential = new NetworkCredential(userDn, plainPassword);
cn.AuthType = AuthType.Basic;
cn.SessionOptions.ProtocolVersion = 3;
cn.SessionOptions.StartTransportLayerSecurity(null);
cn.Bind();
- Build a docker image:
FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:8.0-bookworm-slim AS build
ARG TARGETARCH
WORKDIR /build
# Copy project files and restore
COPY *.sln ./
COPY Directory.Packages.props ./
COPY src/ExampleApp.Web.Host/*.csproj ./src/ExampleApp.Web.Host/
# ... more csproj files
RUN dotnet restore -r linux-x64 -p:TargetFramework=net8.0
COPY --link . ./
WORKDIR /build/src/ExampleApp.Web.Host/
RUN dotnet publish -c Release -r linux-x64 -o /publish /p:Version=$(date +"%Y.%m.%d") --no-restore
#
# Runtime stage
#
FROM mcr.microsoft.com/dotnet/aspnet:8.0-bookworm-slim
EXPOSE 10001
WORKDIR /app
COPY --link --from=build /publish .
# install new libldap
RUN apt update \
&& apt install --upgrade -y libldap-2.5-0 \
&& apt install nano vim -y \
&& apt clean \
&& rm -rf /var/lib/apt/lists/
# not necessary for .net v8
# ad/ldap library link issue - https://github.com/dotnet/runtime/discussions/98990
# RUN ln -s /usr/lib/x86_64-linux-gnu/libldap-2.5.so.0 /usr/lib/x86_64-linux-gnu/libldap-2.4.so.2
# copy entrypoint script and make executable
COPY ./docker/entrypoint.sh /usr/local/bin/
RUN chmod +x /usr/local/bin/entrypoint.sh
# create directory for ldap cert -> will be mounted as volume and checked by entrypoint.sh
RUN mkdir /usr/share/ca-certificates/extra
RUN cp /etc/ca-certificates.conf /etc/ca-certificates.conf.backup
CMD ["/usr/local/bin/entrypoint.sh"]
- Run image and execute ldap connection code. I have tried 3 variations:
5.1 Installing libldap-2.5-0
5.2 Installing libldap-2.5-0 and creating symbolic links (commented in dockerfile)
5.2 Without installing and linking
Expected behavior
I can connect to AD and no exception is thrown when "StartTransportLayerSecurity" method is called.
Actual behavior
MacOS
Exception is thrown when calling "StartTransportLayerSecurity" method:
Exception has occurred: CLR/System.DirectoryServices.Protocols.LdapException
Exception thrown: 'System.DirectoryServices.Protocols.LdapException' in System.DirectoryServices.Protocols.dll: 'The LDAP server is unavailable.'
at System.DirectoryServices.Protocols.LdapSessionOptions.StartTransportLayerSecurity(DirectoryControlCollection controls)
at ExampleApp.Authentication.Ldap.LdapConnectionFactory.CreateBoundConnection(String userDn, String plainPassword) in src/ExampleApp.Ldap/Authentication/Ldap/LdapConnectionFactory.cs:line 102
Docker
When installing libldap 2.5 and linking it or not (5.1 and 5.2), I get basically the same error as on MacOs:
System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable. at System.DirectoryServices.Protocols.LdapSessionOptions.StartTransportLayerSecurity(DirectoryControlCollection controls)
at ExampleApp.Authentication.Ldap.LdapConnectionFactory.CreateBoundConnection(String userDn, String plainPassword) in /build/src/ExampleApp.Ldap/Authentication/Ldap/LdapConnectionFactory.cs:line 102
without installing I get the following:
System.TypeInitializationException: The type initializer for 'Ldap' threw an exception. at Interop.Ldap.ldap_initialize(IntPtr& ld, String uri)
at System.DirectoryServices.Protocols.ConnectionHandle..ctor()
at System.DirectoryServices.Protocols.LdapConnection.InternalInitConnectionHandle()
at System.DirectoryServices.Protocols.LdapConnection.Init()
at System.DirectoryServices.Protocols.LdapConnection..ctor(LdapDirectoryIdentifier identifier, NetworkCredential credential, AuthType authType)
at System.DirectoryServices.Protocols.LdapConnection..ctor(LdapDirectoryIdentifier identifier)
at ExampleApp.Authentication.Ldap.LdapConnectionFactory.CreateBoundConnection(String userDn, String plainPassword) in /build/src/ExampleApp.Ldap/Authentication/Ldap/LdapConnectionFactory.cs:line 85
Regression?
Works with System.DirectoryServices.Protocols 7.0.1
Known Workarounds
Using v 7.0.1
Configuration
MacOs Sonoma 14.5 (23F79)on arm64 with .Net v8.0.403Docker Debian mcr.microsoft.com/dotnet/aspnet:8.0-bookworm-slim, running as x64 on MacOs arm64 HostSystem.DirectoryServices.Protocols 8.0.0
Other information
- Similar issue: StartTransportLayerSecurity(...) method throw an exception when using System.DirectoryServices.Protocols in version 8.0.0 on Linux #96988
- Discussion about docker image and problems with libldap (but not using aspnet image).: LDAP error with .NET 8 on docker: sdk:8.0 vs runtime:8.0 ? #98990