Skip to content
This repository has been archived by the owner on Jun 2, 2023. It is now read-only.

PassCore using Docker always got Invalid Credentials #671

Open
emper0r opened this issue Sep 1, 2022 · 14 comments
Open

PassCore using Docker always got Invalid Credentials #671

emper0r opened this issue Sep 1, 2022 · 14 comments

Comments

@emper0r
Copy link

emper0r commented Sep 1, 2022
edited
Loading

PassCore Server

  • OS: [ Linux ]
  • Provider: [ Active Directory ]
  • Settings file (without sensitive information): appsettings.json below
  • Log file (without sensitive information):

Describe the bug
Hi, thanks for the community free project but i'm still trying to figure out HOW can connect this docker container with Active Directory, I read ALL open issues, to verify the other solutions, I read almost ALL issues closed to implement the combination explained with different versions and appsetings.json. but NOTHING .... not exist any way to can talk with LDAP Active Directory from Docker.

To Reproduce
Steps to reproduce the behavior:

  1. Fresh install from Almalinux (RedHat Enterprise Linux clone)
  2. install docker engine
  3. clone the latest version from master, (i test it even 4.2.4, 4.2.3 with little modifications)
    the rest of tags are too old to build now and get more errors
cd /usr/local/src
git clone https://github.com/unosquare/passcore.git passcore
cd passcore
vim Dockerfile

remove this line https://github.com/unosquare/passcore/blob/master/Dockerfile#L15
modify the line https://github.com/unosquare/passcore/blob/master/Dockerfile#L16 without --no-restore otherwise NEVER build an image correctly

vim /usr/local/src/passcore/src/Unosquare.PassCore.Web/appsettings.json
docker build --rm -t passcore .
docker run \
-e AppSettings__LdapUsername='Administrator' \
-e AppSettings__LdapPassword='StrongPassword' \
-it -p 8000:80 passcore:latest

Expected behavior
Change the password of user

Screenshots
image

Desktop (please complete the following information):

  • OS: [Windows]
  • Browser [Chrome]
  • Version [latest]

Additional context
I want to add this info, I made research about LDAP Novell client to check if some special chars how would be parser to set correctly and then review the code and seems ok. so in theory passcore clean very well the special chars but including changing the administrator password to a simple 123abc just for test, the container NEVER connect... always said. Invalid Credentials.

network communication are fine and can check here in both ports 389, and 636 but still research. the password in Active Directory NEVER change using 389 because require secure port so always have to use 636.

image

i don't know what other things need to do and verify or check to try use this software, we don't use Windows to install an IIS and deploy this.. we need to use docker as microservices.

any help please!? is very frustrating...

appsettings.json

{
  "Logging": {
    "IncludeScopes": true,
    "LogLevel": {
      "Default": "Debug",
      "System": "Debug",
      "Microsoft": "Debug"
    }
  },
  "WebSettings": {
    "EnableHttpsRedirect": false
  },
  "AppSettings": {
    // The following options for AD Provider (remove if you don't use this Provider)
    "UseAutomaticContext": true, // Set true to allow PassCore to reset password using the same credentials, or false if you will fill the credentials below
    "RestrictedADGroups": [
      "Administrators",
      "Domain Admins",
      "Enterprise Admins"
    ], // Set the AD groups to restrict the use of PassCore
    "AllowedADGroups": [], // Set the AD Groups to allow PassCore, if the array is empty all the groups no-restricted above are allowed
    "IdTypeForUser": "SAM", // Possible values are "DN", "GUID", "Name", "SAM", "SID" and "UPN" (Default UPN)
    "UpdateLastPassword": false, // Set true to allow PassCore to  update the last password timestamp
    // The following options are for LDAP Provider (remove if you don't use this Provider)
    "LdapSearchBase": "DC=domain,DC=local",
    "LdapSecureSocketLayer": true, // Default for AD is true when using LDAPS 636
    "LdapStartTls": true, // Default for AD is true when using LDAP 389
    "LdapChangePasswordWithDelAdd": false,
    "LdapSearchFilter": "(sAMAccountName={Username})", // Another value: "(&(objectClass=person)(cn={Username}))"
    // General options (valid for both providers)
    "LdapHostnames": [ "dc1.domain.local", "dc2.domain.local" ], // Set your hostname(s)
    "LdapPort": 636, // Default for AD is 389, for LDAPS 636
    "LdapUsername": "", // Set the username or distinguish name (DN) to bind the LDAP server
    "LdapPassword": "", // Set the password for the username
    "DefaultDomain": "" // Set your default AD domain here, or non "@" logins will not work! Use empty value to allow user to set the domain. This option is ONLY available with UPN.
  },
  "ClientSettings": {
    "ValidationRegex": {
      "EmailRegex": "^[a-zA-Z0-9.!#$%&’*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\\.[a-zA-Z0-9-]+)*$",
      "UsernameRegex": "^[a-zA-Z0-9._-]{3,20}$"
    },
    "UsePasswordGeneration": false, //Set true to let PassCore create a new password for the current account. If true the user can not customize its new password.
    "PasswordEntropy": 16, // the number of bytes of entropy to use for generated passwords
    "ShowPasswordMeter": true,
    "MinimumScore": 0, //The minimum acceptable score that the user's new password needs to get at being evaluated by ZXCVBN to be established as the new password.
    "Recaptcha": {
      "SiteKey": "", // ReCAPTCHA public key: replace this! or leave empty if you don't need ReCAPTCHA
      "PrivateKey": "", // ReCAPTCHA private key: replace this! or leave empty if you don't need ReCAPTCHA
      "LanguageCode": "en"
    },
    "UseEmail": "false",
    "ApplicationTitle": "Change Account Password | Self-Service Account Management Tools",
    "ChangePasswordTitle": "Change Account Password",
    "ChangePasswordForm": {
      "HelpText": "If you are having trouble with this tool, please contact IT Support",
      "UsernameLabel": "Username",
      "UsernameHelpblock": "Your organization's email address",
      "UsernameDefaultDomainHelperBlock": "Your organization's username",
      "CurrentPasswordLabel": "Current Password",
      "CurrentPasswordHelpblock": "Enter your current password",
      "NewPasswordLabel": "New Password",
      "NewPasswordHelpblock": "Enter a <a href='https://support.microsoft.com/en-us/help/4026406/microsoft-account-create-a-strong-password' target='_blank'>strong password</a>. You ca
n use <a href='https://xkpasswd.net/s/' target='_blank'>this tool</a> to help you create one; use the XKCD (random sep, pad digit), or NTLM, options.",
      "NewPasswordVerifyLabel": "Re-enter New Password",
      "NewPasswordVerifyHelpblock": "Enter your new password again",
      "ChangePasswordButtonLabel": "Change Password"
    },
    "ErrorsPasswordForm": {
      "FieldRequired": "This field is required",
      "UsernamePattern": "Please enter a valid username",
      "UsernameEmailPattern": "Please enter a valid email address",
      "PasswordMatch": "Passwords do not match"
    },
    "Alerts": {
      "SuccessAlertTitle": "You have changed your password successfully.",
      "SuccessAlertBody": "Please note it may take a few hours for your new password to reach all domain controllers.",
      "ErrorPasswordChangeNotAllowed": "You are not allowed to change your password. Please contact your system administrator.",
      "ErrorInvalidCredentials": "You need to provide the correct current password.",
      "ErrorInvalidDomain": "You have supplied an invalid domain to logon to.",
      "ErrorInvalidUser": "We could not find your user account.",
      "ErrorCaptcha": "Could not verify you are not a robot.",
      "ErrorFieldRequired": "Fulfill all the fields.",
      "ErrorFieldMismatch": "The passwords do not match.",
      "ErrorComplexPassword": "Failed due to password complex policies: New password length is shorter than AD minimum password length",
      "ErrorConnectionLdap": "Unhandled error connecting to the LDAP server.",
      "ErrorScorePassowrd": "The password you are trying to set is not secure enough."
    }
  }
}

logs from container passcore

dbug: Microsoft.AspNetCore.Server.Kestrel[26]
      Connection id "0HMKC2ALE5764", Request id "0HMKC2ALE5764:00000002": done reading request body.
dbug: Microsoft.AspNetCore.Mvc.Formatters.SystemTextJsonInputFormatter[2]
      JSON input formatter succeeded, deserializing to type 'Unosquare.PassCore.Web.Models.ChangePasswordModel'
dbug: Microsoft.AspNetCore.Mvc.ModelBinding.Binders.BodyModelBinder[45]
      Done attempting to bind parameter 'model' of type 'Unosquare.PassCore.Web.Models.ChangePasswordModel'.
dbug: Microsoft.AspNetCore.Mvc.ModelBinding.ParameterBinder[23]
      Done attempting to bind parameter 'model' of type 'Unosquare.PassCore.Web.Models.ChangePasswordModel'.
dbug: Microsoft.AspNetCore.Mvc.ModelBinding.ParameterBinder[26]
      Attempting to validate the bound parameter 'model' of type 'Unosquare.PassCore.Web.Models.ChangePasswordModel' ...
dbug: Microsoft.AspNetCore.Mvc.ModelBinding.ParameterBinder[27]
      Done attempting to validate the bound parameter 'model' of type 'Unosquare.PassCore.Web.Models.ChangePasswordModel'.
warn: PassCoreLDAPProvider[0]
      LDAP query: (sAMAccountName=user1)
warn: PassCoreLDAPProvider[0]
      Failed to connect to host [dc1.domain.local] - LdapException: Unable to connect to server dc1.domain.local:636 (91) Connect Error
      System.IO.IOException: Unable to write data to the transport connection: Connection reset by peer.
       ---> System.Net.Sockets.SocketException (104): Connection reset by peer
         at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.CreateException(SocketError error, Boolean forAsyncThrow)
         at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.SendAsyncForNetworkStream(Socket socket, CancellationToken cancellationToken)
         at System.Net.Sockets.Socket.SendAsyncForNetworkStream(ReadOnlyMemory`1 buffer, SocketFlags socketFlags, CancellationToken cancellationToken)
         at System.Net.Sockets.NetworkStream.WriteAsync(ReadOnlyMemory`1 buffer, CancellationToken cancellationToken)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at System.Net.Security.SslStream.ProcessAuthenticationAsync(Boolean isAsync, Boolean isApm, CancellationToken cancellationToken)
         at System.Net.Security.SslStream.AuthenticateAsClientAsync(SslClientAuthenticationOptions sslClientAuthenticationOptions, CancellationToken cancellationToken)
         at System.Net.Security.SslStream.AuthenticateAsClientAsync(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCert
ificateRevocation)
         at Novell.Directory.Ldap.Connection.Connect(String host, Int32 port, Int32 semaphoreId)
         at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.BindToLdap() in /src/src/Zyborg.PassCore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line 317
         at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.PerformPasswordChange(String username, String currentPassword, String newPassword) in /src/src/Zyborg.PassC
ore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line 79
         at Unosquare.PassCore.Web.Controllers.PasswordController.Post(ChangePasswordModel model) in /src/src/Unosquare.PassCore.Web/Controllers/PasswordController.cs:line 108
         at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
         at Unosquare.PassCore.Web.Controllers.PasswordController.Post(ChangePasswordModel model)
         at lambda_method3(Closure , Object , Object[] )
         at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskOfIActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object contr
oller, Object[] arguments)
         at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
         at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskOfIActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object contr
oller, Object[] arguments)
         at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeActionMethodAsync()
         at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
         at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeNextActionFilterAsync()
         at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
         at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeNextActionFilterAsync()
         at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeNextActionFilterAwaitedAsync()
         at Microsoft.AspNetCore.Mvc.Controller.OnActionExecutionAsync(ActionExecutingContext context, ActionExecutionDelegate next)
         at Microsoft.AspNetCore.Mvc.Filters.ControllerActionFilter.OnActionExecutionAsync(ActionExecutingContext context, ActionExecutionDelegate next)
         at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
         at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync()
         at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
         at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeFilterPipelineAsync()
         at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Logged|17_1(ResourceInvoker invoker)
         at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
         at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Logged|17_1(ResourceInvoker invoker)
         at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeAsync()
         at Microsoft.AspNetCore.Mvc.Routing.ControllerRequestDelegateFactory.<>c__DisplayClass10_0.<CreateRequestDelegate>b__0(HttpContext context)
         at Microsoft.AspNetCore.Routing.EndpointMiddleware.Invoke(HttpContext httpContext)
         at Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware.Invoke(HttpContext httpContext)
         at Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke(HttpContext context)
         at Microsoft.AspNetCore.StaticFiles.DefaultFilesMiddleware.Invoke(HttpContext context)
         at Microsoft.AspNetCore.HostFiltering.HostFilteringMiddleware.Invoke(HttpContext context)
         at Microsoft.AspNetCore.Hosting.HostingApplication.ProcessRequestAsync(Context context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
         at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequestsAsync[TContext](IHttpApplication`1 application)
         at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequestsAsync[TContext](IHttpApplication`1 application)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.HttpConnection.ProcessRequestsAsync[TContext](IHttpApplication`1 httpApplication)
         at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.HttpConnection.ProcessRequestsAsync[TContext](IHttpApplication`1 httpApplication)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.HttpConnectionMiddleware`1.OnConnectionAsync(ConnectionContext connectionContext)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.TransportManager.<>c__DisplayClass9_0.<BindAsync>b__0(ConnectionContext c)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
         at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.System.Threading.IThreadPoolWorkItem.Execute()
         at System.Threading.ThreadPoolWorkQueue.Dispatch()
         at System.Threading.PortableThreadPool.WorkerThread.WorkerThreadStart()
         at System.Threading.Thread.StartCallback()
      --- End of stack trace from previous location ---

         at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap(Task task, Int32 timeout)
         at Novell.Directory.Ldap.Connection.Connect(String host, Int32 port, Int32 semaphoreId)
warn: PassCoreLDAPProvider[0]
      Failed to connect to host [dc2.domain.local] - LdapException: Unable to connect to server dc2.domain.local:636 (91) Connect Error
      System.IO.IOException: Unable to write data to the transport connection: Connection reset by peer.
       ---> System.Net.Sockets.SocketException (104): Connection reset by peer
         at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.CreateException(SocketError error, Boolean forAsyncThrow)
         at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.SendAsyncForNetworkStream(Socket socket, CancellationToken cancellationToken)
         at System.Net.Sockets.Socket.SendAsyncForNetworkStream(ReadOnlyMemory`1 buffer, SocketFlags socketFlags, CancellationToken cancellationToken)
         at System.Net.Sockets.NetworkStream.WriteAsync(ReadOnlyMemory`1 buffer, CancellationToken cancellationToken)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at System.Net.Security.SslStream.ProcessAuthenticationAsync(Boolean isAsync, Boolean isApm, CancellationToken cancellationToken)
         at System.Net.Security.SslStream.AuthenticateAsClientAsync(SslClientAuthenticationOptions sslClientAuthenticationOptions, CancellationToken cancellationToken)
         at System.Net.Security.SslStream.AuthenticateAsClientAsync(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCert
ificateRevocation)
         at Novell.Directory.Ldap.Connection.Connect(String host, Int32 port, Int32 semaphoreId)
         at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.BindToLdap() in /src/src/Zyborg.PassCore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line 317
         at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.PerformPasswordChange(String username, String currentPassword, String newPassword) in /src/src/Zyborg.PassC
ore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line 79
         at Unosquare.PassCore.Web.Controllers.PasswordController.Post(ChangePasswordModel model) in /src/src/Unosquare.PassCore.Web/Controllers/PasswordController.cs:line 108
         at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
         at Unosquare.PassCore.Web.Controllers.PasswordController.Post(ChangePasswordModel model)
         at lambda_method3(Closure , Object , Object[] )
         at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskOfIActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object contr
oller, Object[] arguments)
         at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
         at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskOfIActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object contr
oller, Object[] arguments)
         at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeActionMethodAsync()
         at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
         at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeNextActionFilterAsync()
         at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
         at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeNextActionFilterAsync()
         at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeNextActionFilterAwaitedAsync()
         at Microsoft.AspNetCore.Mvc.Controller.OnActionExecutionAsync(ActionExecutingContext context, ActionExecutionDelegate next)
         at Microsoft.AspNetCore.Mvc.Filters.ControllerActionFilter.OnActionExecutionAsync(ActionExecutingContext context, ActionExecutionDelegate next)
         at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
         at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync()
         at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
         at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeFilterPipelineAsync()
         at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Logged|17_1(ResourceInvoker invoker)
         at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
         at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Logged|17_1(ResourceInvoker invoker)
         at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeAsync()
         at Microsoft.AspNetCore.Mvc.Routing.ControllerRequestDelegateFactory.<>c__DisplayClass10_0.<CreateRequestDelegate>b__0(HttpContext context)
         at Microsoft.AspNetCore.Routing.EndpointMiddleware.Invoke(HttpContext httpContext)
         at Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware.Invoke(HttpContext httpContext)
         at Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke(HttpContext context)
         at Microsoft.AspNetCore.StaticFiles.DefaultFilesMiddleware.Invoke(HttpContext context)
         at Microsoft.AspNetCore.HostFiltering.HostFilteringMiddleware.Invoke(HttpContext context)
         at Microsoft.AspNetCore.Hosting.HostingApplication.ProcessRequestAsync(Context context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
         at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequestsAsync[TContext](IHttpApplication`1 application)
         at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequestsAsync[TContext](IHttpApplication`1 application)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.HttpConnection.ProcessRequestsAsync[TContext](IHttpApplication`1 httpApplication)
         at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.HttpConnection.ProcessRequestsAsync[TContext](IHttpApplication`1 httpApplication)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.HttpConnectionMiddleware`1.OnConnectionAsync(ConnectionContext connectionContext)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.TransportManager.<>c__DisplayClass9_0.<BindAsync>b__0(ConnectionContext c)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
         at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.System.Threading.IThreadPoolWorkItem.Execute()
         at System.Threading.ThreadPoolWorkQueue.Dispatch()
         at System.Threading.PortableThreadPool.WorkerThread.WorkerThreadStart()
         at System.Threading.Thread.StartCallback()
      --- End of stack trace from previous location ---
         --- End of inner exception stack trace ---
         at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap(Task task, Int32 timeout)
         at Novell.Directory.Ldap.Connection.Connect(String host, Int32 port, Int32 semaphoreId)
warn: PassCoreLDAPProvider[0]
      Failed to connect to any configured hostname - Unosquare.PassCore.Common.ApiErrorException: Error Code: InvalidCredentials
      Failed to connect to any configured hostname
         at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.BindToLdap() in /src/src/Zyborg.PassCore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line 329
         at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.PerformPasswordChange(String username, String currentPassword, String newPassword) in /src/src/Zyborg.PassC
ore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line 79
dbug: Microsoft.AspNetCore.Mvc.Infrastructure.DefaultOutputFormatterSelector[11]
      List of registered output formatters, in the following order: Microsoft.AspNetCore.Mvc.Formatters.HttpNoContentOutputFormatter, Microsoft.AspNetCore.Mvc.Formatters.StringOutputFo
rmatter, Microsoft.AspNetCore.Mvc.Formatters.StreamOutputFormatter, Microsoft.AspNetCore.Mvc.Formatters.SystemTextJsonOutputFormatter
dbug: Microsoft.AspNetCore.Mvc.Infrastructure.DefaultOutputFormatterSelector[6]
      Attempting to select an output formatter based on Accept header 'application/json'.
@simonai1254
Copy link

I'm not sure, but if I understand the following passage from the Readme correctly, then this means that MS Active Directory is not supported with Linux (and with that docker):

PassCore was created to use the Microsoft Active Directory Services provided by .NET Framework, but a new Provider using Novell LDAP Client can be used instead. This provider is the default when PassCore is running at Linux or macOS since Microsoft AD Services are NOT available.

Regards

@drbogar
Copy link

drbogar commented Sep 6, 2022

For me it works with MS AD with passcore running in docker container.

According to the container log, passcore cannot connect to the LDAP server. Maybe you don't have SSL configured for AD?

@emper0r
Copy link
Author

emper0r commented Sep 8, 2022

Hi @drbogar yes. in fact after other research i had to installed AD Certificate role to enable this in the AD, and making testing using ldp.exe in the AD and now can see certificate works on MS AD,

After that i exported the certificate and import from .DER converting into .PEM to our server linux as updating root-ca but maybe must be imported inside the container itself ?? but still getting error.

the new one is certificate is rejected.

can you provide me your the steps after MS AD are the RootCA created it. maybe I'm misssing something in the middle process.

something like,
export certificate, and do this commands on linux... etc.

@drbogar
Copy link

drbogar commented Sep 8, 2022

Yes, you must install the AD RootCA certificate as a trusted CA.
The container is a separate computer in this respect.

  1. export the RootCA certificate in crt extension format.
  2. copy the exported CA certificate into the /usr/local/share/ca-certificates/ folder of the docker container:
    Add these two lines (modified as appropriate) to the Dockerfile:
ADD your_ca_root.crt /usr/local/share/ca-certificates/foo.crt
RUN chmod 644 /usr/local/share/ca-certificates/foo.crt && update-ca-certificates

I hope this helps.

@emper0r
Copy link
Author

emper0r commented Sep 8, 2022

Hi @drbogar
thanks for the steps..
I'll did exactly and still getting error from passcore.

my steps was:

connect to MS AD
execute wizard to extract RootCA - copied into Download as dc1.domain.local.der
download and upload into docker engine linux.
run this commands to convert it

openssl x509 -inform der -in dc1.domain.local.der -out dc1.domain.local.crt
cp -v dc1.domain.local.crt /usr/local/src/passcore/

modify the Dockerfile with your instructions and build but still with error below

here is the log

warn: PassCoreLDAPProvider[0]
      LDAP query: (sAMAccountName=user1)
warn: PassCoreLDAPProvider[0]
      Failed to connect to host [dc1.domain.local] - System.Security.Authentication.AuthenticationException: The remote certificate was rejected by the provided RemoteCertificateValidationCallback.
         at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap(Task task, Int32 timeout)
         at Novell.Directory.Ldap.Connection.Connect(String host, Int32 port, Int32 semaphoreId)
         at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.BindToLdap() in /src/src/Zyborg.PassCore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line 317
warn: PassCoreLDAPProvider[0]
      Failed to connect to any configured hostname - Unosquare.PassCore.Common.ApiErrorException: Error Code: InvalidCredentials
      Failed to connect to any configured hostname
         at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.BindToLdap() in /src/src/Zyborg.PassCore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line 329
         at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.PerformPasswordChange(String username, String currentPassword, String newPassword) in /src/src/Zyborg.PassCore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line 79

@drbogar
Copy link

drbogar commented Sep 9, 2022

I see... 🤔
Can you show me how the Dockerfile looks after editing?
What is the result of running the following command on your docker host?:

docker exec -it <name of the passcore container> ls -lta /etc/ssl/certs | grep -i dc1.domain.local.crt

@emper0r
Copy link
Author

emper0r commented Sep 14, 2022

Hi @drbogar sorry by delay, I did that grep and don't show up the certificate... must be appears under /etc/ssl/certs ?
in the dockerfile i set copy to dir /usr/local/share/ca-certificates/ after update-ca-certificates command maybe moved but isn't in that directory were was filter.

@emper0r
Copy link
Author

emper0r commented Sep 14, 2022

Dockerfile after last modifications

FROM node:latest AS node_base

RUN echo "NODE Version:" && node --version
RUN echo "NPM Version:" && npm --version

FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build

COPY --from=node_base . .

WORKDIR /src
COPY ./ ./

COPY . .

ADD dc1.domain.local.crt /usr/local/share/ca-certificates/dc1.domain.local.crt
RUN chmod 644 /usr/local/share/ca-certificates/dc1.domain.local.crt && update-ca-certificates
RUN dotnet publish -c Release -o /app /p:PASSCORE_PROVIDER=LDAP

# final stage/image
FROM mcr.microsoft.com/dotnet/aspnet:6.0
WORKDIR /app
COPY --from=build /app ./
EXPOSE 80
ENTRYPOINT ["dotnet", "Unosquare.PassCore.Web.dll"]

@emper0r
Copy link
Author

emper0r commented Sep 14, 2022 

Step 9/16 : COPY dc1.domain.local.crt /usr/local/share/ca-certificates/dc1.domain.local.crt
 ---> aa7ee7e4b0fb
Step 10/16 : RUN chmod 644 /usr/local/share/ca-certificates/dc1.domain.local.crt && update-ca-certificates
 ---> Running in 486aa8689cd1
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

i guess must be add 1 not 0...

after docker build when i start the container passcore inside not exist the certificate file inside.

@ftoledo
Copy link

ftoledo commented Sep 15, 2022 

Step 9/16 : COPY dc1.domain.local.crt /usr/local/share/ca-certificates/dc1.domain.local.crt
 ---> aa7ee7e4b0fb
Step 10/16 : RUN chmod 644 /usr/local/share/ca-certificates/dc1.domain.local.crt && update-ca-certificates
 ---> Running in 486aa8689cd1
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

i guess must be add 1 not 0...

after docker build when i start the container passcore inside not exist the certificate file inside.

can you try to copy to /etc/ssl/certs instead of /usr/local... ?

@drbogar
Copy link

drbogar commented Sep 16, 2022

Hi @drbogar sorry by delay, I did that grep and don't show up the certificate... must be appears under /etc/ssl/certs ? in the dockerfile i set copy to dir /usr/local/share/ca-certificates/ after update-ca-certificates command maybe moved but isn't in that directory were was filter.

The certificate should be placed in /usr/local/share/ca-certificates/. The update-ca-certificates command copies it to /etc/ssl/cert.

Extract from the update-ca-certificates command man page:

update-ca-certificates is a program that updates the directory /etc/ssl/certs to hold SSL
certificates and generates ca-certificates.crt, a concatenated single-file list of
certificates.

Dockerfile after last modifications

FROM node:latest AS node_base

RUN echo "NODE Version:" && node --version
RUN echo "NPM Version:" && npm --version

FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build

COPY --from=node_base . .

WORKDIR /src
COPY ./ ./

COPY . .

ADD dc1.domain.local.crt /usr/local/share/ca-certificates/dc1.domain.local.crt
RUN chmod 644 /usr/local/share/ca-certificates/dc1.domain.local.crt && update-ca-certificates
RUN dotnet publish -c Release -o /app /p:PASSCORE_PROVIDER=LDAP

# final stage/image
FROM mcr.microsoft.com/dotnet/aspnet:6.0
WORKDIR /app
COPY --from=build /app ./
EXPOSE 80
ENTRYPOINT ["dotnet", "Unosquare.PassCore.Web.dll"]

Passcore's Dockerfile creates several temporary images during the build. Each FROM is the start of a new image. To install the RootCA certificate on the final container, you need to insert the two lines I wrote earlier after the last FROM.
I hope this helps.

@emper0r
Copy link
Author

emper0r commented Sep 16, 2022
edited
Loading

Hi @drbogar

I set the line after last FROM, now the certificate was added, but have to set absolute path for the command /usr/sbin/update-ca-certificates

 ---> Running in d9d2899d03e8
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

in fact now with grep I can see it inside the container, but still getting error rejecting certificate this is weird.

I test the certificate with other software and the test show "LDAPS certificates looks good"

this is the output certificate


openssl x509 -text -noout -in dc1.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            14:7e:c0:e6:92:19:26:aa:4b:40:c2:1b:f3:77:76:f5
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC = local, DC = domain, CN = dc1
        Validity
            Not Before: Sep  2 12:05:14 2022 GMT
            Not After : Sep  2 12:15:13 2027 GMT
        Subject: DC = local, DC = domain, CN = dc1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    ...
                    ...
                    ...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            1.3.6.1.4.1.311.20.2:
                ...C.A
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE

any other idea?
can you share appsetttings hidding only sensitive data.??

are you using the last code here from master branch?

here is the actual log


dbug: Microsoft.AspNetCore.Mvc.Formatters.SystemTextJsonInputFormatter[2]
      JSON input formatter succeeded, deserializing to type 'Unosquare.PassCore.Web.Models.ChangePasswordModel'
dbug: Microsoft.AspNetCore.Mvc.ModelBinding.Binders.BodyModelBinder[45]
      Done attempting to bind parameter 'model' of type 'Unosquare.PassCore.Web.Models.ChangePasswordModel'.
dbug: Microsoft.AspNetCore.Mvc.ModelBinding.ParameterBinder[23]
      Done attempting to bind parameter 'model' of type 'Unosquare.PassCore.Web.Models.ChangePasswordModel'.
dbug: Microsoft.AspNetCore.Mvc.ModelBinding.ParameterBinder[26]
      Attempting to validate the bound parameter 'model' of type 'Unosquare.PassCore.Web.Models.ChangePasswordModel' ...
dbug: Microsoft.AspNetCore.Mvc.ModelBinding.ParameterBinder[27]
      Done attempting to validate the bound parameter 'model' of type 'Unosquare.PassCore.Web.Models.ChangePasswordModel'.
warn: PassCoreLDAPProvider[0]

      LDAP query: (sAMAccountName=user1)
warn: PassCoreLDAPProvider[0]

      Failed to connect to host [dc1.domain.local] - System.Security.Authentication.AuthenticationException: The remote certificate was rejected by the provided

 RemoteCertificateValidationCallback.
         at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap(Task task, Int32 timeout)
         at Novell.Directory.Ldap.Connection.Connect(String host, Int32 port, Int32 semaphoreId)
         at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.BindToLdap() in /src/src/Zyborg.PassCore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line
 317
warn: PassCoreLDAPProvider[0]

      Failed to connect to any configured hostname - Unosquare.PassCore.Common.ApiErrorException: Error Code: InvalidCredentials

      Failed to connect to any configured hostname
         at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.BindToLdap() in /src/src/Zyborg.PassCore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line
 329
         at Zyborg.PassCore.PasswordProvider.LDAP.LdapPasswordChangeProvider.PerformPasswordChange(String username, String currentPassword, String newPassword) in /src/src/Zy
borg.PassCore.PasswordProvider.LDAP/LdapPasswordChangeProvider.cs:line 79
dbug: Microsoft.AspNetCore.Mvc.Infrastructure.DefaultOutputFormatterSelector[11]
      List of registered output formatters, in the following order: Microsoft.AspNetCore.Mvc.Formatters.HttpNoContentOutputFormatter, Microsoft.AspNetCore.Mvc.Formatters.Stri
ngOutputFormatter, Microsoft.AspNetCore.Mvc.Formatters.StreamOutputFormatter, Microsoft.AspNetCore.Mvc.Formatters.SystemTextJsonOutputFormatter

@emper0r
Copy link
Author

emper0r commented Sep 16, 2022
edited
Loading

if I add this option

-e AppSettings__LdapIgnoreTlsErrors='true'

seems to works saying passowrd was changed BUT I see in the logs never connected to AD, so I assume this is only for test purpose for validate only the web form because never changed the password and with false try to connect with that certificate error reject again.

@emper0r
Copy link
Author

emper0r commented Oct 7, 2022

any update?

@stevleibelt stevleibelt mentioned this issue Feb 2, 2023
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ftoledo @emper0r @simonai1254 @drbogar