PassCore using Docker always got Invalid Credentials
emper0r opened this issue ยท 14 comments
PassCore Server
- OS: [ Linux ]
- Provider: [ Active Directory ]
- Settings file (without sensitive information): appsettings.json below
- Log file (without sensitive information):
Describe the bug
Hi, thanks for the community free project but i'm still trying to figure out HOW can connect this docker container with Active Directory, I read ALL open issues, to verify the other solutions, I read almost ALL issues closed to implement the combination explained with different versions and appsetings.json. but NOTHING .... not exist any way to can talk with LDAP Active Directory from Docker.
To Reproduce
Steps to reproduce the behavior:
- Fresh install from Almalinux (RedHat Enterprise Linux clone)
- install docker engine
- clone the latest version from master, (i test it even 4.2.4, 4.2.3 with little modifications)
the rest of tags are too old to build now and get more errors
cd /usr/local/src
git clone https://github.com/unosquare/passcore.git passcore
cd passcore
vim Dockerfile
remove this line https://github.com/unosquare/passcore/blob/master/Dockerfile#L15
modify the line https://github.com/unosquare/passcore/blob/master/Dockerfile#L16 without --no-restore
otherwise NEVER build an image correctly
vim /usr/local/src/passcore/src/Unosquare.PassCore.Web/appsettings.json
docker build --rm -t passcore .
docker run \
-e AppSettings__LdapUsername='Administrator' \
-e AppSettings__LdapPassword='StrongPassword' \
-it -p 8000:80 passcore:latest
Expected behavior
Change the password of user
Desktop (please complete the following information):
- OS: [Windows]
- Browser [Chrome]
- Version [latest]
Additional context
I want to add this info, I made research about LDAP Novell client to check if some special chars how would be parser to set correctly and then review the code and seems ok. so in theory passcore clean very well the special chars but including changing the administrator password to a simple 123abc just for test, the container NEVER connect... always said. Invalid Credentials.
network communication are fine and can check here in both ports 389, and 636 but still research. the password in Active Directory NEVER change using 389 because require secure port so always have to use 636.
i don't know what other things need to do and verify or check to try use this software, we don't use Windows to install an IIS and deploy this.. we need to use docker as microservices.
any help please!? is very frustrating...
appsettings.json
{
"Logging": {
"IncludeScopes": true,
"LogLevel": {
"Default": "Debug",
"System": "Debug",
"Microsoft": "Debug"
}
},
"WebSettings": {
"EnableHttpsRedirect": false
},
"AppSettings": {
// The following options for AD Provider (remove if you don't use this Provider)
"UseAutomaticContext": true, // Set true to allow PassCore to reset password using the same credentials, or false if you will fill the credentials below
"RestrictedADGroups": [
"Administrators",
"Domain Admins",
"Enterprise Admins"
], // Set the AD groups to restrict the use of PassCore
"AllowedADGroups": [], // Set the AD Groups to allow PassCore, if the array is empty all the groups no-restricted above are allowed
"IdTypeForUser": "SAM", // Possible values are "DN", "GUID", "Name", "SAM", "SID" and "UPN" (Default UPN)
"UpdateLastPassword": false, // Set true to allow PassCore to update the last password timestamp
// The following options are for LDAP Provider (remove if you don't use this Provider)
"LdapSearchBase": "DC=domain,DC=local",
"LdapSecureSocketLayer": true, // Default for AD is true when using LDAPS 636
"LdapStartTls": true, // Default for AD is true when using LDAP 389
"LdapChangePasswordWithDelAdd": false,
"LdapSearchFilter": "(sAMAccountName={Username})", // Another value: "(&(objectClass=person)(cn={Username}))"
// General options (valid for both providers)
"LdapHostnames": [ "dc1.domain.local", "dc2.domain.local" ], // Set your hostname(s)
"LdapPort": 636, // Default for AD is 389, for LDAPS 636
"LdapUsername": "", // Set the username or distinguish name (DN) to bind the LDAP server
"LdapPassword": "", // Set the password for the username
"DefaultDomain": "" // Set your default AD domain here, or non "@" logins will not work! Use empty value to allow user to set the domain. This option is ONLY available with UPN.
},
"ClientSettings": {
"ValidationRegex": {
"EmailRegex": "^[a-zA-Z0-9.!#$%&โ*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\\.[a-zA-Z0-9-]+)*$",
"UsernameRegex": "^[a-zA-Z0-9._-]{3,20}$"
},
"UsePasswordGeneration": false, //Set true to let PassCore create a new password for the current account. If true the user can not customize its new password.
"PasswordEntropy": 16, // the number of bytes of entropy to use for generated passwords
"ShowPasswordMeter": true,
"MinimumScore": 0, //The minimum acceptable score that the user's new password needs to get at being evaluated by ZXCVBN to be established as the new password.
"Recaptcha": {
"SiteKey": "", // ReCAPTCHA public key: replace this! or leave empty if you don't need ReCAPTCHA
"PrivateKey": "", // ReCAPTCHA private key: replace this! or leave empty if you don't need ReCAPTCHA
"LanguageCode": "en"
},
"UseEmail": "false",
"ApplicationTitle": "Change Account Password | Self-Service Account Management Tools",
"ChangePasswordTitle": "Change Account Password",
"ChangePasswordForm": {
"HelpText": "If you are having trouble with this tool, please contact IT Support",
"UsernameLabel": "Username",
"UsernameHelpblock": "Your organization's email address",
"UsernameDefaultDomainHelperBlock": "Your organization's username",
"CurrentPasswordLabel": "Current Password",
"CurrentPasswordHelpblock": "Enter your current password",
"NewPasswordLabel": "New Password",
"NewPasswordHelpblock": "Enter a <a href='https://support.microsoft.com/en-us/help/4026406/microsoft-account-create-a-strong-password' target='_blank'>strong password</a>. You ca
n use <a href='https://xkpasswd.net/s/' target='_blank'>this tool</a> to help you create one; use the XKCD (random sep, pad digit), or NTLM, options.",
"NewPasswordVerifyLabel": "Re-enter New Password",
"NewPasswordVerifyHelpblock": "Enter your new password again",
"ChangePasswordButtonLabel": "Change Password"
},
"ErrorsPasswordForm": {
"FieldRequired": "This field is required",
"UsernamePattern": "Please enter a valid username",
"UsernameEmailPattern": "Please enter a valid email address",
"PasswordMatch": "Passwords do not match"
},
"Alerts": {
"SuccessAlertTitle": "You have changed your password successfully.",
"SuccessAlertBody": "Please note it may take a few hours for your new password to reach all domain controllers.",
"ErrorPasswordChangeNotAllowed": "You are not allowed to change your password. Please contact your system administrator.",
"ErrorInvalidCredentials": "You need to provide the correct current password.",
"ErrorInvalidDomain": "You have supplied an invalid domain to logon to.",
"ErrorInvalidUser": "We could not find your user account.",
"ErrorCaptcha": "Could not verify you are not a robot.",
"ErrorFieldRequired": "Fulfill all the fields.",
"ErrorFieldMismatch": "The passwords do not match.",
"ErrorComplexPassword": "Failed due to password complex policies: New password length is shorter than AD minimum password length",
"ErrorConnectionLdap": "Unhandled error connecting to the LDAP server.",
"ErrorScorePassowrd": "The password you are trying to set is not secure enough."
}
}
}
logs from container passcore
dbug: Microsoft.AspNetCore.Server.Kestrel[26]
Connection id "0HMKC2ALE5764", Request id "0HMKC2ALE5764:00000002": done reading request body.
dbug: Microsoft.AspNetCore.Mvc.Formatters.SystemTextJsonInputFormatter[2]
JSON input formatter succeeded, deserializing to type 'Unosquare.PassCore.Web.Models.ChangePasswordModel'
dbug: Microsoft.AspNetCore.Mvc.ModelBinding.Binders.BodyModelBinder[45]
Done attempting to bind parameter 'model' of type 'Unosquare.PassCore.Web.Models.ChangePasswordModel'.
dbug: Microsoft.AspNetCore.Mvc.ModelBinding.ParameterBinder[23]
Done attempting to bind parameter 'model' of type 'Unosquare.PassCore.Web.Models.ChangePasswordModel'.
dbug: Microsoft.AspNetCore.Mvc.ModelBinding.ParameterBinder[26]
Attempting to validate the bound parameter 'model' of type 'Unosquare.PassCore.Web.Models.ChangePasswordModel' ...
dbug: Microsoft.AspNetCore.Mvc.ModelBinding.ParameterBinder[27]
Done attempting to validate the bound parameter 'model' of type 'Unosquare.PassCore.Web.Models.ChangePasswordModel'.
warn: PassCoreLDAPProvider[0]
LDAP query: (sAMAccountName=user1)
warn: PassCoreLDAPProvider[0]
Failed to connect to host [dc1.domain.local] - LdapException: Unable to connect to server dc1.domain.local:636 (91) Connect Error
System.IO.IOException: Unable to write data to the transport connection: Connection reset by peer.
---> System.Net.Sockets.SocketException (104): Connection reset by peer
at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.CreateException(SocketError error, Boolean forAsyncThrow)
at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.SendAsyncForNetworkStream(Socket socket, CancellationToken cancellationToken)
at System.Net.Sockets.Socket.SendAsyncForNetworkStream(ReadOnlyMemory`1 buffer, SocketFlags socketFlags, CancellationToken cancellationToken)
at System.Net.Sockets.NetworkStream.WriteAsync(ReadOnlyMemory`1 buffer, CancellationToken cancellationToken)
at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
at System.Net.Security.SslStream.ProcessAuthenticationAsync(Boolean isAsync, Boolean isApm, CancellationToken cancellationToken)
at System.Net.Security.SslStream.AuthenticateAsClientAsync(SslClientAuthenticationOptions sslClientAuthenticationOptions, CancellationToken cancellationToken)
at System.Net.Security.SslStream.AuthenticateAsClientAsync(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCert
ificateRevocation)
at Novell.Directory.Ldap.Connection.Connect(String host, Int32 port, Int32 semaphoreId)
at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.BindToLdap() in /src/src/Zyborg.PassCore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line 317
at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.PerformPasswordChange(String username, String currentPassword, String newPassword) in /src/src/Zyborg.PassC
ore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line 79
at Unosquare.PassCore.Web.Controllers.PasswordController.Post(ChangePasswordModel model) in /src/src/Unosquare.PassCore.Web/Controllers/PasswordController.cs:line 108
at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
at Unosquare.PassCore.Web.Controllers.PasswordController.Post(ChangePasswordModel model)
at lambda_method3(Closure , Object , Object[] )
at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskOfIActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object contr
oller, Object[] arguments)
at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskOfIActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object contr
oller, Object[] arguments)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeActionMethodAsync()
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeNextActionFilterAsync()
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeNextActionFilterAsync()
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeNextActionFilterAwaitedAsync()
at Microsoft.AspNetCore.Mvc.Controller.OnActionExecutionAsync(ActionExecutingContext context, ActionExecutionDelegate next)
at Microsoft.AspNetCore.Mvc.Filters.ControllerActionFilter.OnActionExecutionAsync(ActionExecutingContext context, ActionExecutionDelegate next)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync()
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeFilterPipelineAsync()
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Logged|17_1(ResourceInvoker invoker)
at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Logged|17_1(ResourceInvoker invoker)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeAsync()
at Microsoft.AspNetCore.Mvc.Routing.ControllerRequestDelegateFactory.<>c__DisplayClass10_0.<CreateRequestDelegate>b__0(HttpContext context)
at Microsoft.AspNetCore.Routing.EndpointMiddleware.Invoke(HttpContext httpContext)
at Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware.Invoke(HttpContext httpContext)
at Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.StaticFiles.DefaultFilesMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.HostFiltering.HostFilteringMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Hosting.HostingApplication.ProcessRequestAsync(Context context)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequestsAsync[TContext](IHttpApplication`1 application)
at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequestsAsync[TContext](IHttpApplication`1 application)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.HttpConnection.ProcessRequestsAsync[TContext](IHttpApplication`1 httpApplication)
at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.HttpConnection.ProcessRequestsAsync[TContext](IHttpApplication`1 httpApplication)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.HttpConnectionMiddleware`1.OnConnectionAsync(ConnectionContext connectionContext)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.TransportManager.<>c__DisplayClass9_0.<BindAsync>b__0(ConnectionContext c)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.System.Threading.IThreadPoolWorkItem.Execute()
at System.Threading.ThreadPoolWorkQueue.Dispatch()
at System.Threading.PortableThreadPool.WorkerThread.WorkerThreadStart()
at System.Threading.Thread.StartCallback()
--- End of stack trace from previous location ---
at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap(Task task, Int32 timeout)
at Novell.Directory.Ldap.Connection.Connect(String host, Int32 port, Int32 semaphoreId)
warn: PassCoreLDAPProvider[0]
Failed to connect to host [dc2.domain.local] - LdapException: Unable to connect to server dc2.domain.local:636 (91) Connect Error
System.IO.IOException: Unable to write data to the transport connection: Connection reset by peer.
---> System.Net.Sockets.SocketException (104): Connection reset by peer
at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.CreateException(SocketError error, Boolean forAsyncThrow)
at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.SendAsyncForNetworkStream(Socket socket, CancellationToken cancellationToken)
at System.Net.Sockets.Socket.SendAsyncForNetworkStream(ReadOnlyMemory`1 buffer, SocketFlags socketFlags, CancellationToken cancellationToken)
at System.Net.Sockets.NetworkStream.WriteAsync(ReadOnlyMemory`1 buffer, CancellationToken cancellationToken)
at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
at System.Net.Security.SslStream.ProcessAuthenticationAsync(Boolean isAsync, Boolean isApm, CancellationToken cancellationToken)
at System.Net.Security.SslStream.AuthenticateAsClientAsync(SslClientAuthenticationOptions sslClientAuthenticationOptions, CancellationToken cancellationToken)
at System.Net.Security.SslStream.AuthenticateAsClientAsync(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCert
ificateRevocation)
at Novell.Directory.Ldap.Connection.Connect(String host, Int32 port, Int32 semaphoreId)
at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.BindToLdap() in /src/src/Zyborg.PassCore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line 317
at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.PerformPasswordChange(String username, String currentPassword, String newPassword) in /src/src/Zyborg.PassC
ore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line 79
at Unosquare.PassCore.Web.Controllers.PasswordController.Post(ChangePasswordModel model) in /src/src/Unosquare.PassCore.Web/Controllers/PasswordController.cs:line 108
at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
at Unosquare.PassCore.Web.Controllers.PasswordController.Post(ChangePasswordModel model)
at lambda_method3(Closure , Object , Object[] )
at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskOfIActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object contr
oller, Object[] arguments)
at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskOfIActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object contr
oller, Object[] arguments)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeActionMethodAsync()
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeNextActionFilterAsync()
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeNextActionFilterAsync()
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeNextActionFilterAwaitedAsync()
at Microsoft.AspNetCore.Mvc.Controller.OnActionExecutionAsync(ActionExecutingContext context, ActionExecutionDelegate next)
at Microsoft.AspNetCore.Mvc.Filters.ControllerActionFilter.OnActionExecutionAsync(ActionExecutingContext context, ActionExecutionDelegate next)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync()
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeFilterPipelineAsync()
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Logged|17_1(ResourceInvoker invoker)
at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Logged|17_1(ResourceInvoker invoker)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeAsync()
at Microsoft.AspNetCore.Mvc.Routing.ControllerRequestDelegateFactory.<>c__DisplayClass10_0.<CreateRequestDelegate>b__0(HttpContext context)
at Microsoft.AspNetCore.Routing.EndpointMiddleware.Invoke(HttpContext httpContext)
at Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware.Invoke(HttpContext httpContext)
at Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.StaticFiles.DefaultFilesMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.HostFiltering.HostFilteringMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Hosting.HostingApplication.ProcessRequestAsync(Context context)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequestsAsync[TContext](IHttpApplication`1 application)
at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequestsAsync[TContext](IHttpApplication`1 application)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.HttpConnection.ProcessRequestsAsync[TContext](IHttpApplication`1 httpApplication)
at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.HttpConnection.ProcessRequestsAsync[TContext](IHttpApplication`1 httpApplication)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.HttpConnectionMiddleware`1.OnConnectionAsync(ConnectionContext connectionContext)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.TransportManager.<>c__DisplayClass9_0.<BindAsync>b__0(ConnectionContext c)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.System.Threading.IThreadPoolWorkItem.Execute()
at System.Threading.ThreadPoolWorkQueue.Dispatch()
at System.Threading.PortableThreadPool.WorkerThread.WorkerThreadStart()
at System.Threading.Thread.StartCallback()
--- End of stack trace from previous location ---
--- End of inner exception stack trace ---
at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap(Task task, Int32 timeout)
at Novell.Directory.Ldap.Connection.Connect(String host, Int32 port, Int32 semaphoreId)
warn: PassCoreLDAPProvider[0]
Failed to connect to any configured hostname - Unosquare.PassCore.Common.ApiErrorException: Error Code: InvalidCredentials
Failed to connect to any configured hostname
at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.BindToLdap() in /src/src/Zyborg.PassCore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line 329
at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.PerformPasswordChange(String username, String currentPassword, String newPassword) in /src/src/Zyborg.PassC
ore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line 79
dbug: Microsoft.AspNetCore.Mvc.Infrastructure.DefaultOutputFormatterSelector[11]
List of registered output formatters, in the following order: Microsoft.AspNetCore.Mvc.Formatters.HttpNoContentOutputFormatter, Microsoft.AspNetCore.Mvc.Formatters.StringOutputFo
rmatter, Microsoft.AspNetCore.Mvc.Formatters.StreamOutputFormatter, Microsoft.AspNetCore.Mvc.Formatters.SystemTextJsonOutputFormatter
dbug: Microsoft.AspNetCore.Mvc.Infrastructure.DefaultOutputFormatterSelector[6]
Attempting to select an output formatter based on Accept header 'application/json'.
I'm not sure, but if I understand the following passage from the Readme correctly, then this means that MS Active Directory is not supported with Linux (and with that docker):
PassCore was created to use the Microsoft Active Directory Services provided by .NET Framework, but a new Provider using Novell LDAP Client can be used instead. This provider is the default when PassCore is running at Linux or macOS since Microsoft AD Services are NOT available.
Regards
For me it works with MS AD with passcore running in docker container.
According to the container log, passcore cannot connect to the LDAP server. Maybe you don't have SSL configured for AD?
Hi @drbogar yes. in fact after other research i had to installed AD Certificate role to enable this in the AD, and making testing using ldp.exe in the AD and now can see certificate works on MS AD,
After that i exported the certificate and import from .DER converting into .PEM to our server linux as updating root-ca but maybe must be imported inside the container itself ?? but still getting error.
the new one is certificate is rejected.
can you provide me your the steps after MS AD are the RootCA created it. maybe I'm misssing something in the middle process.
something like,
export certificate, and do this commands on linux... etc.
Yes, you must install the AD RootCA certificate as a trusted CA.
The container is a separate computer in this respect.
- export the RootCA certificate in crt extension format.
- copy the exported CA certificate into the /usr/local/share/ca-certificates/ folder of the docker container:
Add these two lines (modified as appropriate) to the Dockerfile:
ADD your_ca_root.crt /usr/local/share/ca-certificates/foo.crt
RUN chmod 644 /usr/local/share/ca-certificates/foo.crt && update-ca-certificates
I hope this helps.
Hi @drbogar
thanks for the steps..
I'll did exactly and still getting error from passcore.
my steps was:
connect to MS AD
execute wizard to extract RootCA - copied into Download as dc1.domain.local.der
download and upload into docker engine linux.
run this commands to convert it
openssl x509 -inform der -in dc1.domain.local.der -out dc1.domain.local.crt
cp -v dc1.domain.local.crt /usr/local/src/passcore/
modify the Dockerfile with your instructions and build but still with error below
here is the log
warn: PassCoreLDAPProvider[0]
LDAP query: (sAMAccountName=user1)
warn: PassCoreLDAPProvider[0]
Failed to connect to host [dc1.domain.local] - System.Security.Authentication.AuthenticationException: The remote certificate was rejected by the provided RemoteCertificateValidationCallback.
at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap(Task task, Int32 timeout)
at Novell.Directory.Ldap.Connection.Connect(String host, Int32 port, Int32 semaphoreId)
at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.BindToLdap() in /src/src/Zyborg.PassCore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line 317
warn: PassCoreLDAPProvider[0]
Failed to connect to any configured hostname - Unosquare.PassCore.Common.ApiErrorException: Error Code: InvalidCredentials
Failed to connect to any configured hostname
at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.BindToLdap() in /src/src/Zyborg.PassCore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line 329
at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.PerformPasswordChange(String username, String currentPassword, String newPassword) in /src/src/Zyborg.PassCore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line 79
I see... ๐ค
Can you show me how the Dockerfile looks after editing?
What is the result of running the following command on your docker host?:
docker exec -it <name of the passcore container> ls -lta /etc/ssl/certs | grep -i dc1.domain.local.crt
Hi @drbogar sorry by delay, I did that grep and don't show up the certificate... must be appears under /etc/ssl/certs ?
in the dockerfile i set copy to dir /usr/local/share/ca-certificates/ after update-ca-certificates command maybe moved but isn't in that directory were was filter.
Dockerfile after last modifications
FROM node:latest AS node_base
RUN echo "NODE Version:" && node --version
RUN echo "NPM Version:" && npm --version
FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build
COPY --from=node_base . .
WORKDIR /src
COPY ./ ./
COPY . .
ADD dc1.domain.local.crt /usr/local/share/ca-certificates/dc1.domain.local.crt
RUN chmod 644 /usr/local/share/ca-certificates/dc1.domain.local.crt && update-ca-certificates
RUN dotnet publish -c Release -o /app /p:PASSCORE_PROVIDER=LDAP
# final stage/image
FROM mcr.microsoft.com/dotnet/aspnet:6.0
WORKDIR /app
COPY --from=build /app ./
EXPOSE 80
ENTRYPOINT ["dotnet", "Unosquare.PassCore.Web.dll"]
Step 9/16 : COPY dc1.domain.local.crt /usr/local/share/ca-certificates/dc1.domain.local.crt
---> aa7ee7e4b0fb
Step 10/16 : RUN chmod 644 /usr/local/share/ca-certificates/dc1.domain.local.crt && update-ca-certificates
---> Running in 486aa8689cd1
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
i guess must be add 1 not 0...
after docker build when i start the container passcore inside not exist the certificate file inside.
Step 9/16 : COPY dc1.domain.local.crt /usr/local/share/ca-certificates/dc1.domain.local.crt ---> aa7ee7e4b0fb Step 10/16 : RUN chmod 644 /usr/local/share/ca-certificates/dc1.domain.local.crt && update-ca-certificates ---> Running in 486aa8689cd1 Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done.
i guess must be add 1 not 0...
after docker build when i start the container passcore inside not exist the certificate file inside.
can you try to copy to /etc/ssl/certs instead of /usr/local... ?
Hi @drbogar sorry by delay, I did that grep and don't show up the certificate... must be appears under /etc/ssl/certs ? in the dockerfile i set copy to dir /usr/local/share/ca-certificates/ after update-ca-certificates command maybe moved but isn't in that directory were was filter.
The certificate should be placed in /usr/local/share/ca-certificates/. The update-ca-certificates
command copies it to /etc/ssl/cert.
Extract from the update-ca-certificates
command man page:
update-ca-certificates is a program that updates the directory /etc/ssl/certs to hold SSL
certificates and generates ca-certificates.crt, a concatenated single-file list of
certificates.
Dockerfile after last modifications
FROM node:latest AS node_base RUN echo "NODE Version:" && node --version RUN echo "NPM Version:" && npm --version FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build COPY --from=node_base . . WORKDIR /src COPY ./ ./ COPY . . ADD dc1.domain.local.crt /usr/local/share/ca-certificates/dc1.domain.local.crt RUN chmod 644 /usr/local/share/ca-certificates/dc1.domain.local.crt && update-ca-certificates RUN dotnet publish -c Release -o /app /p:PASSCORE_PROVIDER=LDAP # final stage/image FROM mcr.microsoft.com/dotnet/aspnet:6.0 WORKDIR /app COPY --from=build /app ./ EXPOSE 80 ENTRYPOINT ["dotnet", "Unosquare.PassCore.Web.dll"]
Passcore's Dockerfile creates several temporary images during the build. Each FROM is the start of a new image. To install the RootCA certificate on the final container, you need to insert the two lines I wrote earlier after the last FROM.
I hope this helps.
Hi @drbogar
I set the line after last FROM, now the certificate was added, but have to set absolute path for the command /usr/sbin/update-ca-certificates
---> Running in d9d2899d03e8
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
in fact now with grep I can see it inside the container, but still getting error rejecting certificate this is weird.
I test the certificate with other software and the test show "LDAPS certificates looks good"
this is the output certificate
openssl x509 -text -noout -in dc1.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
14:7e:c0:e6:92:19:26:aa:4b:40:c2:1b:f3:77:76:f5
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC = local, DC = domain, CN = dc1
Validity
Not Before: Sep 2 12:05:14 2022 GMT
Not After : Sep 2 12:15:13 2027 GMT
Subject: DC = local, DC = domain, CN = dc1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
...
...
...
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.20.2:
...C.A
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
any other idea?
can you share appsetttings hidding only sensitive data.??
are you using the last code here from master branch?
here is the actual log
dbug: Microsoft.AspNetCore.Mvc.Formatters.SystemTextJsonInputFormatter[2]
JSON input formatter succeeded, deserializing to type 'Unosquare.PassCore.Web.Models.ChangePasswordModel'
dbug: Microsoft.AspNetCore.Mvc.ModelBinding.Binders.BodyModelBinder[45]
Done attempting to bind parameter 'model' of type 'Unosquare.PassCore.Web.Models.ChangePasswordModel'.
dbug: Microsoft.AspNetCore.Mvc.ModelBinding.ParameterBinder[23]
Done attempting to bind parameter 'model' of type 'Unosquare.PassCore.Web.Models.ChangePasswordModel'.
dbug: Microsoft.AspNetCore.Mvc.ModelBinding.ParameterBinder[26]
Attempting to validate the bound parameter 'model' of type 'Unosquare.PassCore.Web.Models.ChangePasswordModel' ...
dbug: Microsoft.AspNetCore.Mvc.ModelBinding.ParameterBinder[27]
Done attempting to validate the bound parameter 'model' of type 'Unosquare.PassCore.Web.Models.ChangePasswordModel'.
warn: PassCoreLDAPProvider[0]
LDAP query: (sAMAccountName=user1)
warn: PassCoreLDAPProvider[0]
Failed to connect to host [dc1.domain.local] - System.Security.Authentication.AuthenticationException: The remote certificate was rejected by the provided
RemoteCertificateValidationCallback.
at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap(Task task, Int32 timeout)
at Novell.Directory.Ldap.Connection.Connect(String host, Int32 port, Int32 semaphoreId)
at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.BindToLdap() in /src/src/Zyborg.PassCore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line
317
warn: PassCoreLDAPProvider[0]
Failed to connect to any configured hostname - Unosquare.PassCore.Common.ApiErrorException: Error Code: InvalidCredentials
Failed to connect to any configured hostname
at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.BindToLdap() in /src/src/Zyborg.PassCore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line
329
at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.PerformPasswordChange(String username, String currentPassword, String newPassword) in /src/src/Zy
borg.PassCore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line 79
dbug: Microsoft.AspNetCore.Mvc.Infrastructure.DefaultOutputFormatterSelector[11]
List of registered output formatters, in the following order: Microsoft.AspNetCore.Mvc.Formatters.HttpNoContentOutputFormatter, Microsoft.AspNetCore.Mvc.Formatters.Stri
ngOutputFormatter, Microsoft.AspNetCore.Mvc.Formatters.StreamOutputFormatter, Microsoft.AspNetCore.Mvc.Formatters.SystemTextJsonOutputFormatter
if I add this option
-e AppSettings__LdapIgnoreTlsErrors='true'
seems to works saying passowrd was changed BUT I see in the logs never connected to AD, so I assume this is only for test purpose for validate only the web form because never changed the password and with false
try to connect with that certificate error reject again.
any update?