ProGet docker image LDAP/LDAPS Support

scroak_6473

Hey Guys,

Wondering if anyone has successfully configured LDAP/LDAPS login on the ProGet container image?

Most of the documentation references LDAP authentication working through IIS. Which is obviously not available on the Linux proget image.

In trying to set this up using LDAPS (preferred) I get the following:

Unchecking LDAPS gives me this:

I can ping the domain controller from the containers command line:

Nothing is showing up in the event log.

Running Proget V5.3.7.

Thanks

Simon

rhessinger

Hi @scroak_6473,

You most likely have to setup a Resource Credential. On the Manage User Directories page, you should see a button for AD Credentials. Create a credential that has domain access. From there, in your domains to search, enter a value of {domain},{Secure Resource Name} ex: exampldomain.com,DomainAdmin. Can you give that a try and see if it connects?

Thanks,
Rich

scroak_6473

Hi @rhessinger

Thanks for the quick response.

I can confirm that works but only when I de-select "Use LDAPS", given that Microsoft is the removing the ability to query AD using LDAP (instead making people query using LDAPS) in the very near future how can I get the LDAPS connection working?

My guess is that given that this docker container is not on a windows domain (and therefore does not have any domain ca certificates) it is unable to verify the LDAPS certificate.

Shouldn't there be an option to "ignore or skip certificate verification"

Thanks

Simon

atripp

Hi @scroak_6473

Shouldn't there be an option to "ignore or skip certificate verification"

If it's possible at the library level, it's something that could be added, I think; we recently added the LDAPS support. I'm not an expert on security/certification verification, or if this is even a good option to have, however.

The VerifyServerCertificateCallback may allow it, and it seems like it could be an easy checkbox to add to ADUserDirectory.cs, maybe.

It's definitely possible to fork InedoCore, modify, then manually install. Or we can very easily shipped branched-builds to our CI-extensions feed, if this is something you'd be interested in collaborating/testing. This is how we got LDAPS working in the first place, as it's quite complex to reproduce an environment for that.

Cheers,
Alana

scroak_6473

Hi @atripp

Thanks for this. Unfortunately I am not a developer so couldn't really help in forking InedoCore. But I do have the ability to run and tests this in a CI container build, in a docker dev environment.

It would seam there is also limited logging so you would need to let me know how best to troubleshoot this implementation for you should it not work.

Let me know how I can help.

Thanks

Simon

atripp

hi Simon,

Unfortunately the code solution I mentioned isn't feasible. Basically, to use that method, it would require us to rewrite our library to work at the "protocol level" (TCP/IP) instead of the "directory level" (users/groups/objects); so it's not so trivial...

Could you install the certificate to the Docker container to see if it works?

scroak_6473

Hi @atripp,

I can try but with you guys using Mono it would be a challenge to find out where it would need to go.

I'm curious would using this method work with your code:

https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.protocols.ldapconnection.sessionoptions?view=dotnet-plat-ext-3.1

https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.protocols.ldapsessionoptions.verifyservercertificate?view=dotnet-plat-ext-3.1#System_DirectoryServices_Protocols_LdapSessionOptions_VerifyServerCertificate

I'll investigate installing the certificate on the container now.

Thanks

Simon

atripp

Thanks @scroak_6473; that method would probably work if we were using the protocol-level libraries (i.e. System.DirectoryServices.Protocols) to connect, but we're working at one-level above that (i.e. DirectorySearcher).

These libraries use a protocol called ADSI, which basically a wrapper around LDAP, but with more security (either via SSL or something else, I forgot) and some Microsoft extensions. But ADSl can also connect to any LDAP server.

atripp

@scroak_6473 oh, I guess we already rewrote this for our .NET5 plans.

In the coming weeks, we'll shipping a new container, ProGetCore that is build on .NETCore (soon: .NET5), and won't use any of Mono. So, then, we'll have a chance of easily adding this!

scroak_6473

@atripp thats amazing! Let me know when this releases. Happy to try it out in our Dev environment.

Thanks

Simon

atripp

hi @scroak_6473 , just to let you know, as part of ProGet 5.3.10 release, we shipped the ProGetCore container image.

You can follow the normal steps in the Linux and Docker Installation Guide to install/upgrade, but just use progetcore for the container instead of proget.

Aside from support for the Lucene-based Maven feed indexing (in progress), it seems to be feature complete. And of course, if there are problems, you can switch back to proget:5.3.10 or downgrade as needed (no database schema changes).

For example, docker pull proget.inedo.com/productimages/inedo/progetcore:5.3.10

Getting LDAP/LDAPS to work on Linux was a whole different problem to solve; the three major libraries (DotNetCore, Mono, Novell) all had separate and strange bugs. We'll be blogging about this, but for now, it might be a step in the right direction for addressing the problems you're seeing, at the very least.