Comments (14)
Hi @drbogar yes. in fact after other research i had to installed AD Certificate role to enable this in the AD, and making testing using ldp.exe in the AD and now can see certificate works on MS AD,
After that i exported the certificate and import from .DER converting into .PEM to our server linux as updating root-ca but maybe must be imported inside the container itself ?? but still getting error.
the new one is certificate is rejected.
can you provide me your the steps after MS AD are the RootCA created it. maybe I'm misssing something in the middle process.
something like,
export certificate, and do this commands on linux... etc.
from passcore.
Yes, you must install the AD RootCA certificate as a trusted CA.
The container is a separate computer in this respect.
- export the RootCA certificate in crt extension format.
- copy the exported CA certificate into the /usr/local/share/ca-certificates/ folder of the docker container:
Add these two lines (modified as appropriate) to the Dockerfile:
ADD your_ca_root.crt /usr/local/share/ca-certificates/foo.crt
RUN chmod 644 /usr/local/share/ca-certificates/foo.crt && update-ca-certificates
I hope this helps.
from passcore.
I'm not sure, but if I understand the following passage from the Readme correctly, then this means that MS Active Directory is not supported with Linux (and with that docker):
PassCore was created to use the Microsoft Active Directory Services provided by .NET Framework, but a new Provider using Novell LDAP Client can be used instead. This provider is the default when PassCore is running at Linux or macOS since Microsoft AD Services are NOT available.
Regards
from passcore.
For me it works with MS AD with passcore running in docker container.
According to the container log, passcore cannot connect to the LDAP server. Maybe you don't have SSL configured for AD?
from passcore.
Hi @drbogar
thanks for the steps..
I'll did exactly and still getting error from passcore.
my steps was:
connect to MS AD
execute wizard to extract RootCA - copied into Download as dc1.domain.local.der
download and upload into docker engine linux.
run this commands to convert it
openssl x509 -inform der -in dc1.domain.local.der -out dc1.domain.local.crt
cp -v dc1.domain.local.crt /usr/local/src/passcore/
modify the Dockerfile with your instructions and build but still with error below
here is the log
warn: PassCoreLDAPProvider[0]
LDAP query: (sAMAccountName=user1)
warn: PassCoreLDAPProvider[0]
Failed to connect to host [dc1.domain.local] - System.Security.Authentication.AuthenticationException: The remote certificate was rejected by the provided RemoteCertificateValidationCallback.
at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap(Task task, Int32 timeout)
at Novell.Directory.Ldap.Connection.Connect(String host, Int32 port, Int32 semaphoreId)
at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.BindToLdap() in /src/src/Zyborg.PassCore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line 317
warn: PassCoreLDAPProvider[0]
Failed to connect to any configured hostname - Unosquare.PassCore.Common.ApiErrorException: Error Code: InvalidCredentials
Failed to connect to any configured hostname
at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.BindToLdap() in /src/src/Zyborg.PassCore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line 329
at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.PerformPasswordChange(String username, String currentPassword, String newPassword) in /src/src/Zyborg.PassCore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line 79
from passcore.
I see... 🤔
Can you show me how the Dockerfile looks after editing?
What is the result of running the following command on your docker host?:
docker exec -it <name of the passcore container> ls -lta /etc/ssl/certs | grep -i dc1.domain.local.crt
from passcore.
Hi @drbogar sorry by delay, I did that grep and don't show up the certificate... must be appears under /etc/ssl/certs ?
in the dockerfile i set copy to dir /usr/local/share/ca-certificates/ after update-ca-certificates command maybe moved but isn't in that directory were was filter.
from passcore.
Dockerfile after last modifications
FROM node:latest AS node_base
RUN echo "NODE Version:" && node --version
RUN echo "NPM Version:" && npm --version
FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build
COPY --from=node_base . .
WORKDIR /src
COPY ./ ./
COPY . .
ADD dc1.domain.local.crt /usr/local/share/ca-certificates/dc1.domain.local.crt
RUN chmod 644 /usr/local/share/ca-certificates/dc1.domain.local.crt && update-ca-certificates
RUN dotnet publish -c Release -o /app /p:PASSCORE_PROVIDER=LDAP
# final stage/image
FROM mcr.microsoft.com/dotnet/aspnet:6.0
WORKDIR /app
COPY --from=build /app ./
EXPOSE 80
ENTRYPOINT ["dotnet", "Unosquare.PassCore.Web.dll"]
from passcore.
Step 9/16 : COPY dc1.domain.local.crt /usr/local/share/ca-certificates/dc1.domain.local.crt
---> aa7ee7e4b0fb
Step 10/16 : RUN chmod 644 /usr/local/share/ca-certificates/dc1.domain.local.crt && update-ca-certificates
---> Running in 486aa8689cd1
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
i guess must be add 1 not 0...
after docker build when i start the container passcore inside not exist the certificate file inside.
from passcore.
Step 9/16 : COPY dc1.domain.local.crt /usr/local/share/ca-certificates/dc1.domain.local.crt ---> aa7ee7e4b0fb Step 10/16 : RUN chmod 644 /usr/local/share/ca-certificates/dc1.domain.local.crt && update-ca-certificates ---> Running in 486aa8689cd1 Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done.
i guess must be add 1 not 0...
after docker build when i start the container passcore inside not exist the certificate file inside.
can you try to copy to /etc/ssl/certs instead of /usr/local... ?
from passcore.
Hi @drbogar sorry by delay, I did that grep and don't show up the certificate... must be appears under /etc/ssl/certs ? in the dockerfile i set copy to dir /usr/local/share/ca-certificates/ after update-ca-certificates command maybe moved but isn't in that directory were was filter.
The certificate should be placed in /usr/local/share/ca-certificates/. The update-ca-certificates
command copies it to /etc/ssl/cert.
Extract from the update-ca-certificates
command man page:
update-ca-certificates is a program that updates the directory /etc/ssl/certs to hold SSL
certificates and generates ca-certificates.crt, a concatenated single-file list of
certificates.
Dockerfile after last modifications
FROM node:latest AS node_base RUN echo "NODE Version:" && node --version RUN echo "NPM Version:" && npm --version FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build COPY --from=node_base . . WORKDIR /src COPY ./ ./ COPY . . ADD dc1.domain.local.crt /usr/local/share/ca-certificates/dc1.domain.local.crt RUN chmod 644 /usr/local/share/ca-certificates/dc1.domain.local.crt && update-ca-certificates RUN dotnet publish -c Release -o /app /p:PASSCORE_PROVIDER=LDAP # final stage/image FROM mcr.microsoft.com/dotnet/aspnet:6.0 WORKDIR /app COPY --from=build /app ./ EXPOSE 80 ENTRYPOINT ["dotnet", "Unosquare.PassCore.Web.dll"]
Passcore's Dockerfile creates several temporary images during the build. Each FROM is the start of a new image. To install the RootCA certificate on the final container, you need to insert the two lines I wrote earlier after the last FROM.
I hope this helps.
from passcore.
Hi @drbogar
I set the line after last FROM, now the certificate was added, but have to set absolute path for the command /usr/sbin/update-ca-certificates
---> Running in d9d2899d03e8
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
in fact now with grep I can see it inside the container, but still getting error rejecting certificate this is weird.
I test the certificate with other software and the test show "LDAPS certificates looks good"
this is the output certificate
openssl x509 -text -noout -in dc1.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
14:7e:c0:e6:92:19:26:aa:4b:40:c2:1b:f3:77:76:f5
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC = local, DC = domain, CN = dc1
Validity
Not Before: Sep 2 12:05:14 2022 GMT
Not After : Sep 2 12:15:13 2027 GMT
Subject: DC = local, DC = domain, CN = dc1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
...
...
...
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.20.2:
...C.A
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
any other idea?
can you share appsetttings hidding only sensitive data.??
are you using the last code here from master branch?
here is the actual log
dbug: Microsoft.AspNetCore.Mvc.Formatters.SystemTextJsonInputFormatter[2]
JSON input formatter succeeded, deserializing to type 'Unosquare.PassCore.Web.Models.ChangePasswordModel'
dbug: Microsoft.AspNetCore.Mvc.ModelBinding.Binders.BodyModelBinder[45]
Done attempting to bind parameter 'model' of type 'Unosquare.PassCore.Web.Models.ChangePasswordModel'.
dbug: Microsoft.AspNetCore.Mvc.ModelBinding.ParameterBinder[23]
Done attempting to bind parameter 'model' of type 'Unosquare.PassCore.Web.Models.ChangePasswordModel'.
dbug: Microsoft.AspNetCore.Mvc.ModelBinding.ParameterBinder[26]
Attempting to validate the bound parameter 'model' of type 'Unosquare.PassCore.Web.Models.ChangePasswordModel' ...
dbug: Microsoft.AspNetCore.Mvc.ModelBinding.ParameterBinder[27]
Done attempting to validate the bound parameter 'model' of type 'Unosquare.PassCore.Web.Models.ChangePasswordModel'.
warn: PassCoreLDAPProvider[0]
LDAP query: (sAMAccountName=user1)
warn: PassCoreLDAPProvider[0]
Failed to connect to host [dc1.domain.local] - System.Security.Authentication.AuthenticationException: The remote certificate was rejected by the provided
RemoteCertificateValidationCallback.
at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap(Task task, Int32 timeout)
at Novell.Directory.Ldap.Connection.Connect(String host, Int32 port, Int32 semaphoreId)
at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.BindToLdap() in /src/src/Zyborg.PassCore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line
317
warn: PassCoreLDAPProvider[0]
Failed to connect to any configured hostname - Unosquare.PassCore.Common.ApiErrorException: Error Code: InvalidCredentials
Failed to connect to any configured hostname
at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.BindToLdap() in /src/src/Zyborg.PassCore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line
329
at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.PerformPasswordChange(String username, String currentPassword, String newPassword) in /src/src/Zy
borg.PassCore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line 79
dbug: Microsoft.AspNetCore.Mvc.Infrastructure.DefaultOutputFormatterSelector[11]
List of registered output formatters, in the following order: Microsoft.AspNetCore.Mvc.Formatters.HttpNoContentOutputFormatter, Microsoft.AspNetCore.Mvc.Formatters.Stri
ngOutputFormatter, Microsoft.AspNetCore.Mvc.Formatters.StreamOutputFormatter, Microsoft.AspNetCore.Mvc.Formatters.SystemTextJsonOutputFormatter
from passcore.
if I add this option
-e AppSettings__LdapIgnoreTlsErrors='true'
seems to works saying passowrd was changed BUT I see in the logs never connected to AD, so I assume this is only for test purpose for validate only the web form because never changed the password and with false
try to connect with that certificate error reject again.
from passcore.
any update?
from passcore.
Related Issues (20)
- The error when change the password HOT 4
- You are not allowed to change your password. Please contact your system administrator. HOT 5
- option to disable haveibeenpwned api HOT 2
- Add .Net Core 5.0 - 6.0 support HOT 6
- Does this work in the user's context, or another user or computer account? HOT 4
- Add support in AD multi site. HOT 1
- Wrong message for password policies HOT 4
- Could not load file or assembly 'Microsoft.Extensions.Logging
- Changes the password, but gives lots of errors HOT 5
- DNS resolution does not work in docker container HOT 1
- Password resets but requests still being spammed HOT 3
- Linux Docker AD (working conf?) HOT 2
- The server is not operational, using LDAPS at 636 HOT 1
- Help with like everything please HOT 1
- Passcore API returns IncorrectCredentials insted of ComplexPassword error response HOT 2
- Wrong current password sends multiple login attempts HOT 1
- IIS installation issues HOT 1
- URL param userName
- Restricted groups
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from passcore.