0

I have a application need to access a LDAP server (Active Directory) and it works properly when is running locally. However when it runs inside a docker container the application cannot access the Active Directory server. I executed a ping command inside the container and it worked.

# ping 10.10.2.1
PING 10.10.2.1 (10.10.2.1) 56(84) bytes of data.
64 bytes from 10.10.2.1: icmp_seq=1 ttl=37 time=14.7 ms
64 bytes from 10.10.2.1: icmp_seq=2 ttl=37 time=16.5 ms
64 bytes from 10.10.2.1: icmp_seq=3 ttl=37 time=14.5 ms
64 bytes from 10.10.2.1: icmp_seq=4 ttl=37 time=11.8 ms
64 bytes from 10.10.2.1: icmp_seq=5 ttl=37 time=15.8 ms
^C
--- 10.10.2.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 11.854/14.700/16.554/1.606 ms

The code below is responsible for access the LDAP server.

        /// <summary>
        /// Construtor da classe
        /// </summary>
        /// <param name="configuration">Parâmetro de configuração</param>
        public ActiveDirectoryClient(IConfiguration configuration, ILogger<ActiveDirectoryClient> logger)
        {
            _logger = logger;
            _configuration = configuration;
            _domain = _configuration["LDAPAdress"];
        }

        /// <summary>
        /// Tenta conectar com o ActiveDirectory até uma quantidade de vezes e um intervalo de tempo fornecido em segundos
        /// </summary>
        /// <param name="attemps">Número de tentativas</param>
        /// <param name="retryInterval">Intervalo de tempo entre as tentativas em segundos</param>
        /// <returns>Retorna o contexto do Active Directory</returns>
        /// <exception cref="CustomException">Lançada quando não é possível se conectar com o ActiveDiretory</exception>
        private PrincipalContext TryConnectActiveDirectory(int attemps, double retryInterval)
        {
            while (attemps > 0)
            {
                _context = null;
                var isRetry = false;


                _logger.LogCritical(_domain);
                try
                {
                    _context = new PrincipalContext(ContextType.Domain, _domain);
                }
                catch (Exception)
                {
                    isRetry = true;
                    attemps--;
                    Thread.Sleep(TimeSpan.FromSeconds(retryInterval));
                }

                if (isRetry || _context.Container == null)
                {
                    attemps--;
                    Thread.Sleep(TimeSpan.FromSeconds(retryInterval));
                }
            }

            _logger.LogCritical(_domain);

            if (_context == null)
            {
                throw new CustomException(HttpStatusCode.ServiceUnavailable, "Não foi possível conectar-se com o servidor");
            }

            return _context;
        }

This file have the configurations of the project

{
  "LDAPAdress": "10.10.2.1",
  "Logging": {
    "LogLevel": {
      "Default": "Warning"
    }
  },
  "AllowedHosts": "*"
}

I mapped the container port from 60331 to 80. It is working because I have access to the swagger page throw browser on the host in the address http://localhost:60331.

I ran the command tcpdump -i eth0 port 389 -v inside the container to sniff all request to 389 port and nothing was returned, however when I run the application locally some requests of 389 port can be sniffed.

Could someone help?

Birju Vachhani
  • 6,072
  • 4
  • 21
  • 43
Michael Santos
  • 1
  • 5
  • Please include the container's logs or any debugging information to help justify "cannot access". Hopefully the logs include something germane. Ping uses ICMP whereas your LDAP traffic is UDP or TCP (?) and so this only shows that the container is able to access the LDAP host via ICMP. TCP|UDP should work but perhaps there's another issue. – DazWilkin Jul 12 '19 at 01:14
  • I logged the throwed exception message in try/catch block end the error occurs because "System.DirectoryService.Management is not supported on this plataform". The host is running Windows and the container is running Ubuntu. – Michael Santos Jul 12 '19 at 02:27
  • Aha! I suspect (!) that `System.DirectoryService.Management` is not part of .NET Core and is thus unavailable to you (on .NET Core) on Linux [and WIndows]. – DazWilkin Jul 12 '19 at 02:40
  • @DazWilkin do you know some workaround like alternative library or something else? Thanks. Probably I will need Windows containers I guess... – Michael Santos Jul 12 '19 at 02:42
  • If our hypothesis is correct (and we should await a more experienced .NETer to concur), you've got 2 options: find an alternative LDAP client library that supports AD; use .NET Framework and a Windows container. – DazWilkin Jul 12 '19 at 02:45
  • Perhaps: https://stackoverflow.com/questions/49682644/asp-net-core-2-0-ldap-active-directory-authentication/49685121#49685121 – DazWilkin Jul 12 '19 at 02:47

0 Answers0