PassCore Server OS: [ Linux ] Provi

Hi <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="

Dockerfile after last modifications <div class="snippet-clipboard-content notransl

<div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clip

<div class="snippet-clipboard-content notranslate position-relative overflow-auto" data

PassCore using Docker always got Invalid Credentials about passcore HOT 14 OPEN

emper0r commented on June 4, 2024 1

PassCore using Docker always got Invalid Credentials

from passcore.

Comments (14)

emper0r commented on June 4, 2024 1

Hi @drbogar yes. in fact after other research i had to installed AD Certificate role to enable this in the AD, and making testing using ldp.exe in the AD and now can see certificate works on MS AD,

After that i exported the certificate and import from .DER converting into .PEM to our server linux as updating root-ca but maybe must be imported inside the container itself ?? but still getting error.

the new one is certificate is rejected.

can you provide me your the steps after MS AD are the RootCA created it. maybe I'm misssing something in the middle process.

something like,
export certificate, and do this commands on linux... etc.

from passcore.

drbogar commented on June 4, 2024 1

Yes, you must install the AD RootCA certificate as a trusted CA.
The container is a separate computer in this respect.

export the RootCA certificate in crt extension format.
copy the exported CA certificate into the /usr/local/share/ca-certificates/ folder of the docker container:
Add these two lines (modified as appropriate) to the Dockerfile:

ADD your_ca_root.crt /usr/local/share/ca-certificates/foo.crt
RUN chmod 644 /usr/local/share/ca-certificates/foo.crt && update-ca-certificates

I hope this helps.

from passcore.

simonai1254 commented on June 4, 2024

I'm not sure, but if I understand the following passage from the Readme correctly, then this means that MS Active Directory is not supported with Linux (and with that docker):

PassCore was created to use the Microsoft Active Directory Services provided by .NET Framework, but a new Provider using Novell LDAP Client can be used instead. This provider is the default when PassCore is running at Linux or macOS since Microsoft AD Services are NOT available.

Regards

from passcore.

drbogar commented on June 4, 2024

For me it works with MS AD with passcore running in docker container.

According to the container log, passcore cannot connect to the LDAP server. Maybe you don't have SSL configured for AD?

from passcore.

emper0r commented on June 4, 2024

Hi @drbogar
thanks for the steps..
I'll did exactly and still getting error from passcore.

my steps was:

connect to MS AD
execute wizard to extract RootCA - copied into Download as dc1.domain.local.der
download and upload into docker engine linux.
run this commands to convert it

openssl x509 -inform der -in dc1.domain.local.der -out dc1.domain.local.crt
cp -v dc1.domain.local.crt /usr/local/src/passcore/

modify the Dockerfile with your instructions and build but still with error below

here is the log

warn: PassCoreLDAPProvider[0]
      LDAP query: (sAMAccountName=user1)
warn: PassCoreLDAPProvider[0]
      Failed to connect to host [dc1.domain.local] - System.Security.Authentication.AuthenticationException: The remote certificate was rejected by the provided RemoteCertificateValidationCallback.
         at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap(Task task, Int32 timeout)
         at Novell.Directory.Ldap.Connection.Connect(String host, Int32 port, Int32 semaphoreId)
         at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.BindToLdap() in /src/src/Zyborg.PassCore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line 317
warn: PassCoreLDAPProvider[0]
      Failed to connect to any configured hostname - Unosquare.PassCore.Common.ApiErrorException: Error Code: InvalidCredentials
      Failed to connect to any configured hostname
         at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.BindToLdap() in /src/src/Zyborg.PassCore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line 329
         at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.PerformPasswordChange(String username, String currentPassword, String newPassword) in /src/src/Zyborg.PassCore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line 79

from passcore.

drbogar commented on June 4, 2024

I see... 🤔
Can you show me how the Dockerfile looks after editing?
What is the result of running the following command on your docker host?:

docker exec -it <name of the passcore container> ls -lta /etc/ssl/certs | grep -i dc1.domain.local.crt

from passcore.

emper0r commented on June 4, 2024

Hi @drbogar sorry by delay, I did that grep and don't show up the certificate... must be appears under /etc/ssl/certs ?
in the dockerfile i set copy to dir /usr/local/share/ca-certificates/ after update-ca-certificates command maybe moved but isn't in that directory were was filter.

from passcore.

emper0r commented on June 4, 2024

Dockerfile after last modifications

FROM node:latest AS node_base

RUN echo "NODE Version:" && node --version
RUN echo "NPM Version:" && npm --version

FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build

COPY --from=node_base . .

WORKDIR /src
COPY ./ ./

COPY . .

ADD dc1.domain.local.crt /usr/local/share/ca-certificates/dc1.domain.local.crt
RUN chmod 644 /usr/local/share/ca-certificates/dc1.domain.local.crt && update-ca-certificates
RUN dotnet publish -c Release -o /app /p:PASSCORE_PROVIDER=LDAP

# final stage/image
FROM mcr.microsoft.com/dotnet/aspnet:6.0
WORKDIR /app
COPY --from=build /app ./
EXPOSE 80
ENTRYPOINT ["dotnet", "Unosquare.PassCore.Web.dll"]

from passcore.

emper0r commented on June 4, 2024

Step 9/16 : COPY dc1.domain.local.crt /usr/local/share/ca-certificates/dc1.domain.local.crt
 ---> aa7ee7e4b0fb
Step 10/16 : RUN chmod 644 /usr/local/share/ca-certificates/dc1.domain.local.crt && update-ca-certificates
 ---> Running in 486aa8689cd1
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

i guess must be add 1 not 0...

after docker build when i start the container passcore inside not exist the certificate file inside.

from passcore.

ftoledo commented on June 4, 2024

Step 9/16 : COPY dc1.domain.local.crt /usr/local/share/ca-certificates/dc1.domain.local.crt
 ---> aa7ee7e4b0fb
Step 10/16 : RUN chmod 644 /usr/local/share/ca-certificates/dc1.domain.local.crt && update-ca-certificates
 ---> Running in 486aa8689cd1
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

i guess must be add 1 not 0...

after docker build when i start the container passcore inside not exist the certificate file inside.

can you try to copy to /etc/ssl/certs instead of /usr/local... ?

from passcore.

drbogar commented on June 4, 2024

Hi @drbogar sorry by delay, I did that grep and don't show up the certificate... must be appears under /etc/ssl/certs ? in the dockerfile i set copy to dir /usr/local/share/ca-certificates/ after update-ca-certificates command maybe moved but isn't in that directory were was filter.

The certificate should be placed in /usr/local/share/ca-certificates/. The update-ca-certificates command copies it to /etc/ssl/cert.

Extract from the update-ca-certificates command man page:

update-ca-certificates is a program that updates the directory /etc/ssl/certs to hold SSL
certificates and generates ca-certificates.crt, a concatenated single-file list of
certificates.

Dockerfile after last modifications

FROM node:latest AS node_base

RUN echo "NODE Version:" && node --version
RUN echo "NPM Version:" && npm --version

FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build

COPY --from=node_base . .

WORKDIR /src
COPY ./ ./

COPY . .

ADD dc1.domain.local.crt /usr/local/share/ca-certificates/dc1.domain.local.crt
RUN chmod 644 /usr/local/share/ca-certificates/dc1.domain.local.crt && update-ca-certificates
RUN dotnet publish -c Release -o /app /p:PASSCORE_PROVIDER=LDAP

# final stage/image
FROM mcr.microsoft.com/dotnet/aspnet:6.0
WORKDIR /app
COPY --from=build /app ./
EXPOSE 80
ENTRYPOINT ["dotnet", "Unosquare.PassCore.Web.dll"]

Passcore's Dockerfile creates several temporary images during the build. Each FROM is the start of a new image. To install the RootCA certificate on the final container, you need to insert the two lines I wrote earlier after the last FROM.
I hope this helps.

from passcore.

emper0r commented on June 4, 2024

Hi @drbogar

I set the line after last FROM, now the certificate was added, but have to set absolute path for the command /usr/sbin/update-ca-certificates

 ---> Running in d9d2899d03e8
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

in fact now with grep I can see it inside the container, but still getting error rejecting certificate this is weird.

I test the certificate with other software and the test show "LDAPS certificates looks good"

this is the output certificate


openssl x509 -text -noout -in dc1.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            14:7e:c0:e6:92:19:26:aa:4b:40:c2:1b:f3:77:76:f5
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC = local, DC = domain, CN = dc1
        Validity
            Not Before: Sep  2 12:05:14 2022 GMT
            Not After : Sep  2 12:15:13 2027 GMT
        Subject: DC = local, DC = domain, CN = dc1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    ...
                    ...
                    ...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            1.3.6.1.4.1.311.20.2:
                ...C.A
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE

any other idea?
can you share appsetttings hidding only sensitive data.??

are you using the last code here from master branch?

here is the actual log


dbug: Microsoft.AspNetCore.Mvc.Formatters.SystemTextJsonInputFormatter[2]
      JSON input formatter succeeded, deserializing to type 'Unosquare.PassCore.Web.Models.ChangePasswordModel'
dbug: Microsoft.AspNetCore.Mvc.ModelBinding.Binders.BodyModelBinder[45]
      Done attempting to bind parameter 'model' of type 'Unosquare.PassCore.Web.Models.ChangePasswordModel'.
dbug: Microsoft.AspNetCore.Mvc.ModelBinding.ParameterBinder[23]
      Done attempting to bind parameter 'model' of type 'Unosquare.PassCore.Web.Models.ChangePasswordModel'.
dbug: Microsoft.AspNetCore.Mvc.ModelBinding.ParameterBinder[26]
      Attempting to validate the bound parameter 'model' of type 'Unosquare.PassCore.Web.Models.ChangePasswordModel' ...
dbug: Microsoft.AspNetCore.Mvc.ModelBinding.ParameterBinder[27]
      Done attempting to validate the bound parameter 'model' of type 'Unosquare.PassCore.Web.Models.ChangePasswordModel'.
warn: PassCoreLDAPProvider[0]

      LDAP query: (sAMAccountName=user1)
warn: PassCoreLDAPProvider[0]

      Failed to connect to host [dc1.domain.local] - System.Security.Authentication.AuthenticationException: The remote certificate was rejected by the provided

 RemoteCertificateValidationCallback.
         at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap(Task task, Int32 timeout)
         at Novell.Directory.Ldap.Connection.Connect(String host, Int32 port, Int32 semaphoreId)
         at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.BindToLdap() in /src/src/Zyborg.PassCore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line
 317
warn: PassCoreLDAPProvider[0]

      Failed to connect to any configured hostname - Unosquare.PassCore.Common.ApiErrorException: Error Code: InvalidCredentials

      Failed to connect to any configured hostname
         at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.BindToLdap() in /src/src/Zyborg.PassCore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line
 329
         at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.PerformPasswordChange(String username, String currentPassword, String newPassword) in /src/src/Zy
borg.PassCore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line 79
dbug: Microsoft.AspNetCore.Mvc.Infrastructure.DefaultOutputFormatterSelector[11]
      List of registered output formatters, in the following order: Microsoft.AspNetCore.Mvc.Formatters.HttpNoContentOutputFormatter, Microsoft.AspNetCore.Mvc.Formatters.Stri
ngOutputFormatter, Microsoft.AspNetCore.Mvc.Formatters.StreamOutputFormatter, Microsoft.AspNetCore.Mvc.Formatters.SystemTextJsonOutputFormatter

from passcore.

emper0r commented on June 4, 2024

if I add this option

-e AppSettings__LdapIgnoreTlsErrors='true'

seems to works saying passowrd was changed BUT I see in the logs never connected to AD, so I assume this is only for test purpose for validate only the web form because never changed the password and with false try to connect with that certificate error reject again.

from passcore.

emper0r commented on June 4, 2024

any update?

from passcore.

PassCore using Docker always got Invalid Credentials about passcore HOT 14 OPEN

Comments (14)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent