Querying a DC via System.DirectoryServices.Protocols hangs on macOS

[dlnash18]

Description

I have PowerShell code to query a DC via LDAP that hangs in .NET 7.0.102 on macOS Ventura. This has been happening for at least a year across several versions of .NET and macOS. Almost identical code, differing only in SessionOptions.StartTransportLayerSecurity($null) instead of SessionOptions.SecureSocketLayer = $true and targeting OpenLDAP instead of AD, works fine. And the code that hangs on macOS works fine in .NET 7.0.304 on Windows.

The hang happens in System.DirectoryServices.Protocols.LdapConnection.SendRequest. Calling LdapConnection.Bind first does not hang, but it also does not prevent SendRequest from hanging.

Reproduction Steps

$LdapServer     = 'host.name.of.a.domain.controller'
$LdapPort       = 636
$LdapDirID      = New-Object System.DirectoryServices.Protocols.LdapDirectoryIdentifier($LdapServer, $LdapPort, $true, $false)                                                      

$Credential     = Get-Credential
$LdapCred       = New-Object System.Net.NetworkCredential($Credential.Username, $Credential.Password)                                                                               
$LdapAuthType   = [System.DirectoryServices.Protocols.AuthType]'Basic'

$LdapConnection = New-Object System.DirectoryServices.Protocols.LdapConnection($LdapDirID, $LdapCred, $LdapAuthType)                                                              
$LdapConnection.SessionOptions.SecureSocketLayer = $true

$LdapBase       = 'dc=abc,dc=xyz,dc=edu'
$LdapFilter     = '(samaccountname=MeMyselfAndI)'
$LdapScope      = [System.DirectoryServices.Protocols.SearchScope]'Subtree'
$SearchRequest  = New-Object System.DirectoryServices.Protocols.SearchRequest($LdapBase, $LdapFilter, $LdapScope)                                                                  

$LdapConnection.Bind()
$SearchResponse = $LdapConnection.SendRequest($SearchRequest) # Hangs forever

Changing these three lines makes it work:

$LdapServer     = 'host.name.of.an.OpenLDAP.server'
$LdapPort       = 389
$LdapConnection.SessionOptions.StartTransportLayerSecurity($null)

Expected behavior

I get a response from the LDAP server.

Actual behavior

LdapConnection.SendRequest hangs so badly that ^C won't stop it. I have to close the terminal window, which I have verified does kill the process (three cheers for SIGHUP).

Regression?

It has never worked in .NET 7 in my observation, but I don't claim to have tested every version.

Known Workarounds

No workaround.

Configuration

.NET SDK:
 Version:   7.0.102
 Commit:    4bbdd14480

Runtime Environment:
 OS Name:     Mac OS X
 OS Version:  13.4
 OS Platform: Darwin
 RID:         osx.13-x64

PowerShell 7.3.1

Earlier versions of both .NET 7 and macOS exhibit the problem. .NET 7 on Windows does not, at least not as of:

.NET SDK:
 Version:   7.0.304
 Commit:    7e794e2806

Runtime Environment:
 OS Name:     Windows
 OS Version:  10.0.17763
 OS Platform: Windows
 RID:         win10-x64

PowerShell 7.3.4

Other information

No response

Tagging subscribers to this area: @dotnet/area-system-directoryservices, @jay98014
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Description

I have PowerShell code to query a DC via LDAP that hangs in .NET 7.0.102 on macOS Ventura. This has been happening for at least a year across several versions of .NET and macOS. Almost identical code, differing only in SessionOptions.StartTransportLayerSecurity($null) instead of SessionOptions.SecureSocketLayer = $true and targeting OpenLDAP instead of AD, works fine. And the code that hangs on macOS works fine in .NET 7.0.304 on Windows.

The hang happens in System.DirectoryServices.Protocols.LdapConnection.SendRequest. Calling LdapConnection.Bind first does not hang, but it also does not prevent SendRequest from hanging.

Reproduction Steps

$LdapServer     = 'host.name.of.a.domain.controller'
$LdapPort       = 636
$LdapDirID      = New-Object System.DirectoryServices.Protocols.LdapDirectoryIdentifier($LdapServer, $LdapPort, $true, $false)                                                      

$Credential     = Get-Credential
$LdapCred       = New-Object System.Net.NetworkCredential($Credential.Username, $Credential.Password)                                                                               
$LdapAuthType   = [System.DirectoryServices.Protocols.AuthType]'Basic'

$LdapConnection = New-Object System.DirectoryServices.Protocols.LdapConnection($LdapDirID, $LdapCred, $LdapAuthType)                                                              
$LdapConnection.SessionOptions.SecureSocketLayer = $true

$LdapBase       = 'dc=abc,dc=xyz,dc=edu'
$LdapFilter     = '(samaccountname=MeMyselfAndI)'
$LdapScope      = [System.DirectoryServices.Protocols.SearchScope]'Subtree'
$SearchRequest  = New-Object System.DirectoryServices.Protocols.SearchRequest($LdapBase, $LdapFilter, $LdapScope)                                                                  

$LdapConnection.Bind()
$SearchResponse = $LdapConnection.SendRequest($SearchRequest) # Hangs forever

Changing these three lines makes it work:

$LdapServer     = 'host.name.of.an.OpenLDAP.server'
$LdapPort       = 389
$LdapConnection.SessionOptions.StartTransportLayerSecurity($null)

Expected behavior

I get a response from the LDAP server.

Actual behavior

LdapConnection.SendRequest hangs so badly that ^C won't stop it. I have to close the terminal window, which I have verified does kill the process (three cheers for SIGHUP).

Regression?

It has never worked in .NET 7 in my observation, but I don't claim to have tested every version.

Known Workarounds

No workaround.

Configuration

.NET SDK:
 Version:   7.0.102
 Commit:    4bbdd14480

Runtime Environment:
 OS Name:     Mac OS X
 OS Version:  13.4
 OS Platform: Darwin
 RID:         osx.13-x64

PowerShell 7.3.1

Earlier versions of both .NET 7 and macOS exhibit the problem. .NET 7 on Windows does not, at least not as of:

.NET SDK:
 Version:   7.0.304
 Commit:    7e794e2806

Runtime Environment:
 OS Name:     Windows
 OS Version:  10.0.17763
 OS Platform: Windows
 RID:         win10-x64

PowerShell 7.3.4

Other information

No response

Author:	dlnash18
Assignees:	-
Labels:	area-System.DirectoryServices
Milestone:	-

[buyaa-n]

and targeting OpenLDAP instead of AD

Not sure if it is expected to work on Mac, by my understanding AD is windows only, correct me if I am wrong @joperezr

[dlnash18]

and targeting OpenLDAP instead of AD

Not sure if it is expected to work on Mac, by my understanding AD is windows only, correct me if I am wrong @joperezr

This is vanilla LDAP, not ADSI or anything Windows-specific like that. I send LDAP queries to domain controllers from my Mac all the time, I just can't make it work in .NET.

[buyaa-n]

This is vanilla LDAP, not ADSI or anything Windows-specific like that.

Sorry I could not find anything like vanilla LDAP, it seems you are using vanilla to connect to a LDAP server, so the question is what LDAP server you are using? For further investigation we need to reproduce the issue you are encountering. It would be great if you could provide a sample repro.

This issue has been marked needs-author-action and may be missing some important information.

This issue has been automatically marked no-recent-activity because it has not had any activity for 14 days. It will be closed if no further activity occurs within 14 more days. Any new comment (by anyone, not necessarily the author) will remove no-recent-activity.

[dlnash18]

Excuse me, "vanilla" is American slang for "plain and uninteresting." My point was that I'm using a vendor-neutral protocol to query the domain controller, not an AD-specific mechanism. The AD server software is indeed Windows-only, but it implements LDAP, and LDAP is a vendor-neutral standard. The .NET System.DirectoryServices.Protocols namespace provides access to LDAP as documented at https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.protocols. I am able to use this LDAP client on macOS to query non-AD LDAP servers. And I am able to use the LDAP client built into macOS to query domain controllers, so the problem isn't that our DCs are having some sort of LDAP problems. The problem is quite specifically that the .NET LDAP client on macOS cannot query a DC.

All three of these elements are required to make the problem manifest:

1. Use of the .NET System.DirectoryServices.Protocols LDAP client,
2. on macOS (the problem does not manifest in .NET 7 on Windows),
3. querying an AD DC (the problem does not manifest when querying a non-AD server like OpenLDAP).