We break LDAP by installing HTTPd

Question

We break LDAP by installing HTTPd

Closed this issue 2 years ago · 3 comments

Plain base image

$ docker run --rm -it debian:11-slim bash

root@5f995fc0c5f6:/# apt-get update >/dev/null 2>&1
root@5f995fc0c5f6:/# apt install ldap-utils ca-certificates -y >/dev/null 2>&1
root@5f995fc0c5f6:/# update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
root@5f995fc0c5f6:/# ldapsearch -h none.of.your.business.netways.de -x -W -D none.of@your.business.netways.de -b (...) -ZZ '(CN=Alexander Klimov)'
Enter LDAP Password:

Our image

$ docker run --rm -itu 0 icinga/icingaweb2:master bash

[Mon Dec 5 14:42:05.846249576 2022] [docker_entrypoint:info] [pid 1] DOCKERE: Initializing /data as we're the init process
[Mon Dec 5 14:42:05.847958114 2022] [docker_entrypoint:debug] [pid 1] DOCKERE: Creating "/data/etc/icingaweb2/enabledModules"
[Mon Dec 5 14:42:05.848211874 2022] [docker_entrypoint:debug] [pid 1] DOCKERE: Creating "/data/var/lib/icingaweb2"
[Mon Dec 5 14:42:05.848340822 2022] [docker_entrypoint:debug] [pid 1] DOCKERE: Translating env vars to .ini config
[Mon Dec 5 14:42:05.84838843 2022] [docker_entrypoint:info] [pid 1] DOCKERE: Checking database resources used as backends
Created directory: /var/lib/snmp/cert_indexes
[Mon Dec 5 14:42:06.434221345 2022] [docker_entrypoint:info] [pid 1] DOCKERE: Looking up "bash" in $PATH
[Mon Dec 5 14:42:06.434356917 2022] [docker_entrypoint:info] [pid 1] DOCKERE: Running "/bin/bash"
root@9ebce0a5458e:/# apt-get update >/dev/null 2>&1
root@9ebce0a5458e:/# apt install ldap-utils ca-certificates -y >/dev/null 2>&1
root@9ebce0a5458e:/# update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
root@9ebce0a5458e:/# ldapsearch -h none.of.your.business.netways.de -x -W -D none.of@your.business.netways.de -b (...) -ZZ '(CN=Alexander Klimov)'
ldap_start_tls: Connect error (-11)
	additional info: (unknown error code)
root@9ebce0a5458e:/#

Broken down

$ docker run --rm -it debian:11-slim bash

root@061ddffb406b:/# export DEBIAN_FRONTEND=noninteractive
root@061ddffb406b:/# apt-get update >/dev/null 2>&1
root@061ddffb406b:/# apt-get install --no-install-{recommends,suggests} -y apache2 >/dev/null 2>&1 # <== HERE
root@061ddffb406b:/# apt install ldap-utils ca-certificates -y >/dev/null 2>&1
root@061ddffb406b:/# update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
root@061ddffb406b:/# ldapsearch -h none.of.your.business.netways.de -x -W -D none.of@your.business.netways.de -b (...) -ZZ '(CN=Alexander Klimov)'
ldap_start_tls: Connect error (-11)
	additional info: (unknown error code)
root@061ddffb406b:/#

Answer 1 · 2022-12-05T15:48:25.000Z

diff --git a/Dockerfile b/Dockerfile
index 28e31ac..e90afdf 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,7 +10,7 @@ RUN ["go", "build", "."]

 FROM debian:bullseye-slim

-RUN ["bash", "-exo", "pipefail", "-c", "export DEBIAN_FRONTEND=noninteractive; apt-get update; apt-get install --no-install-{recommends,suggests} -y apache2 ca-certificates libapache2-mod-php7.4 locales-all php-{imagick,redis} php7.4-{bcmath,bz2,common,curl,dba,enchant,gd,gmp,imap,interbase,intl,json,ldap,mbstring,mysql,odbc,opcache,pgsql,pspell,readline,snmp,soap,sqlite3,sybase,tidy,xml,xmlrpc,xsl,zip}; apt-get clean; rm -vrf /var/lib/apt/lists/*"]
+RUN ["bash", "-exo", "pipefail", "-c", "export DEBIAN_FRONTEND=noninteractive; apt-get update; apt-get install -y apache2; apt-get install --no-install-{recommends,suggests} -y ca-certificates libapache2-mod-php7.4 locales-all php-{imagick,redis} php7.4-{bcmath,bz2,common,curl,dba,enchant,gd,gmp,imap,interbase,intl,json,ldap,mbstring,mysql,odbc,opcache,pgsql,pspell,readline,snmp,soap,sqlite3,sybase,tidy,xml,xmlrpc,xsl,zip}; apt-get clean; rm -vrf /var/lib/apt/lists/*"]

 COPY --from=entrypoint /entrypoint/entrypoint /entrypoint
 COPY entrypoint/db-init /entrypoint-db-init

seems to help. Don’t ask me or the internet why.

Answer 2 · 2022-12-05T16:17:47.000Z

Also helping, this time fully and effective:

https://stackoverflow.com/a/7586808

Answer 3 · 2022-12-06T07:31:06.000Z

Don’t ask me or the internet why.

Well that should be fairly simple to figure out. Just compare the set of installed packages, install the missing ones one by one and see which one fixes it.

Also helping, this time fully and effective:

https://stackoverflow.com/a/7586808

Disabling certificate validation is almost certainly not what you want to do.