ninjasftw opened a new issue, #32023:
URL: https://github.com/apache/airflow/issues/32023
### Apache Airflow version
2.6.2
### What happened
Setting up an Airflow instance which uses jumpcloud as its LDAP backend.
The underlying container(apache/airflow:latest-python3.10) does not trust
the CA certficate at ldap.jumpcloud.com:636 even though it is a valid
certificate
The webserver logs show
`[2023-06-19T20:51:49.899+0000] {manager.py:1236} ERROR - {'result': -1,
'desc': "Can't contact LDAP server", 'ctrls': [], 'info': '(unknown error
code)'}
`
digging into the underlying ldap / openssl functions seem to be where the
issue is as you can trigger the error with
```
> ldapsearch -d 9 -H 'ldaps://ldap.jumpcloud.com:636'
ldap_url_parse_ext(ldaps://ldap.jumpcloud.com:636)
ldap_create
ldap_url_parse_ext(ldaps://ldap.jumpcloud.com:636/??base)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.jumpcloud.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 3.70.144.176:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
**TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).**
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: (unknown error code)
```
The issue is not Airflow specific as such however its possible something in
the Docker build process for the airflow image is doing something with the
allowed ciphers or something
The container image is built from Debian 11 and a fresh Debian 11 instance
does not show this issue.
as a workaround i've added a /etc/ldap/ldap.conf file into the container
with the contents
`TLS_REQCERT never`
and that allows the ldapsearch command and webserver to talk to the LDAP
instance
### What you think should happen instead
The ldap connection should be established.
Using a Debian11 container ldap search returns
```
ldapsearch -d 9 -H 'ldaps://ldap.jumpcloud.com:636'
ldap_url_parse_ext(ldaps://ldap.jumpcloud.com:636)
ldap_create
ldap_url_parse_ext(ldaps://ldap.jumpcloud.com:636/??base)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.jumpcloud.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 3.70.144.176:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
```
### How to reproduce
`docker run --rm -it apache/airflow:2.6.0-python3.10 bash`
`ldapsearch -d 9 -H 'ldaps://ldap.jumpcloud.com:636'`
### Operating System
Debian GNU/Linux 11 (bullseye)
### Versions of Apache Airflow Providers
simply the base container image
### Deployment
Docker-Compose
### Deployment details
_No response_
### Anything else
_No response_
### Are you willing to submit PR?
- [ ] Yes I am willing to submit a PR!
### Code of Conduct
- [X] I agree to follow this project's [Code of
Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
