We break LDAP by installing HTTPd
Closed this issue · 3 comments
Al2Klimov commented
Plain base image
$ docker run --rm -it debian:11-slim bash
root@5f995fc0c5f6:/# apt-get update >/dev/null 2>&1
root@5f995fc0c5f6:/# apt install ldap-utils ca-certificates -y >/dev/null 2>&1
root@5f995fc0c5f6:/# update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
root@5f995fc0c5f6:/# ldapsearch -h none.of.your.business.netways.de -x -W -D none.of@your.business.netways.de -b (...) -ZZ '(CN=Alexander Klimov)'
Enter LDAP Password:
Our image
$ docker run --rm -itu 0 icinga/icingaweb2:master bash
[Mon Dec 5 14:42:05.846249576 2022] [docker_entrypoint:info] [pid 1] DOCKERE: Initializing /data as we're the init process
[Mon Dec 5 14:42:05.847958114 2022] [docker_entrypoint:debug] [pid 1] DOCKERE: Creating "/data/etc/icingaweb2/enabledModules"
[Mon Dec 5 14:42:05.848211874 2022] [docker_entrypoint:debug] [pid 1] DOCKERE: Creating "/data/var/lib/icingaweb2"
[Mon Dec 5 14:42:05.848340822 2022] [docker_entrypoint:debug] [pid 1] DOCKERE: Translating env vars to .ini config
[Mon Dec 5 14:42:05.84838843 2022] [docker_entrypoint:info] [pid 1] DOCKERE: Checking database resources used as backends
Created directory: /var/lib/snmp/cert_indexes
[Mon Dec 5 14:42:06.434221345 2022] [docker_entrypoint:info] [pid 1] DOCKERE: Looking up "bash" in $PATH
[Mon Dec 5 14:42:06.434356917 2022] [docker_entrypoint:info] [pid 1] DOCKERE: Running "/bin/bash"
root@9ebce0a5458e:/# apt-get update >/dev/null 2>&1
root@9ebce0a5458e:/# apt install ldap-utils ca-certificates -y >/dev/null 2>&1
root@9ebce0a5458e:/# update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
root@9ebce0a5458e:/# ldapsearch -h none.of.your.business.netways.de -x -W -D none.of@your.business.netways.de -b (...) -ZZ '(CN=Alexander Klimov)'
ldap_start_tls: Connect error (-11)
additional info: (unknown error code)
root@9ebce0a5458e:/#
Broken down
$ docker run --rm -it debian:11-slim bash
root@061ddffb406b:/# export DEBIAN_FRONTEND=noninteractive
root@061ddffb406b:/# apt-get update >/dev/null 2>&1
root@061ddffb406b:/# apt-get install --no-install-{recommends,suggests} -y apache2 >/dev/null 2>&1 # <== HERE
root@061ddffb406b:/# apt install ldap-utils ca-certificates -y >/dev/null 2>&1
root@061ddffb406b:/# update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
root@061ddffb406b:/# ldapsearch -h none.of.your.business.netways.de -x -W -D none.of@your.business.netways.de -b (...) -ZZ '(CN=Alexander Klimov)'
ldap_start_tls: Connect error (-11)
additional info: (unknown error code)
root@061ddffb406b:/#
Al2Klimov commented
diff --git a/Dockerfile b/Dockerfile
index 28e31ac..e90afdf 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,7 +10,7 @@ RUN ["go", "build", "."]
FROM debian:bullseye-slim
-RUN ["bash", "-exo", "pipefail", "-c", "export DEBIAN_FRONTEND=noninteractive; apt-get update; apt-get install --no-install-{recommends,suggests} -y apache2 ca-certificates libapache2-mod-php7.4 locales-all php-{imagick,redis} php7.4-{bcmath,bz2,common,curl,dba,enchant,gd,gmp,imap,interbase,intl,json,ldap,mbstring,mysql,odbc,opcache,pgsql,pspell,readline,snmp,soap,sqlite3,sybase,tidy,xml,xmlrpc,xsl,zip}; apt-get clean; rm -vrf /var/lib/apt/lists/*"]
+RUN ["bash", "-exo", "pipefail", "-c", "export DEBIAN_FRONTEND=noninteractive; apt-get update; apt-get install -y apache2; apt-get install --no-install-{recommends,suggests} -y ca-certificates libapache2-mod-php7.4 locales-all php-{imagick,redis} php7.4-{bcmath,bz2,common,curl,dba,enchant,gd,gmp,imap,interbase,intl,json,ldap,mbstring,mysql,odbc,opcache,pgsql,pspell,readline,snmp,soap,sqlite3,sybase,tidy,xml,xmlrpc,xsl,zip}; apt-get clean; rm -vrf /var/lib/apt/lists/*"]
COPY --from=entrypoint /entrypoint/entrypoint /entrypoint
COPY entrypoint/db-init /entrypoint-db-init
seems to help. Don’t ask me or the internet why.
Al2Klimov commented
Also helping, this time fully and effective:
julianbrost commented
Don’t ask me or the internet why.
Well that should be fairly simple to figure out. Just compare the set of installed packages, install the missing ones one by one and see which one fixes it.
Also helping, this time fully and effective:
Disabling certificate validation is almost certainly not what you want to do.