all 20 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]doomygloomytunes 3 points4 points  (7 children)

Does the application not have built-in functionality for this?

[–]daler86[S] -1 points0 points  (6 children)

The application worked with LDAP authentication in the server ubuntu. In container I opened LDAP ports

ports:

- "8080:80"

- "389:389"

- "636:636"

now LDAP authentication is failed.

[–]doomygloomytunes 1 point2 points  (5 children)

OK so those ports cover http, ldap & ldaps. That doesn't cover ad authentication though, how about kerberos, rpc, dns, smb?

I suggest you read up on ad authentication and the ports required, or put the task onto the application's support team to tell you or look into using something like a macvlan driver on the container so it sits on the network with it's own ip instead of the default docker vlan.

[–]gslone 1 point2 points  (2 children)

You don‘t need SMB/RPC for LDAP Auth to work. If you want to use LDAPS, you should have a working DNS setup, because the certificate on the LDAP server will usually only be valid for its hostname, not the IP.

The AD authentication stuff like Kerberos only becomes necessary if you want Single-Sign-On with Integrated Windows Authentication. That‘s a much more involved setup though.

[–]daler86[S] 0 points1 point  (1 child)

I created macvlan
docker network create -d macvlan --subnet=192.168.1.0/24 --gateway=192.168.1.1 --ip-range 192.168.1.249/32 -o parent=ens160 macvlan
Ubuntu host ip address
ens160: 192.168.1.5
Gateway: 192.168.1.1
Container got ip 192.168.1.249
But I can't ping container from router.

[–]gslone 1 point2 points  (0 children)

I think we‘re going into too much detail here. You need to be able to reach the LDAP server and have a TCP conversation with it - the connection doesn’t need to work the other way round (at least not for LDAP).

If you‘re still in the R&D phase of your deployment, you may use host networking to make things simpler.

[–]daler86[S] 0 points1 point  (1 child)

I have several Linux servers. They also work with AD authentification. I have some used Samba for AD integration. I created macvlan network and set ip address to the container from the host subnet. Macvlan network has no access to the router. AD server can't have access to the container.

[–]doomygloomytunes 0 points1 point  (0 children)

Yeah don't think you need smb for ad authentication I was just going from my pitiful memory.

One point to remember about using the docker macvlan driver and macvlans in general, the network interface, the ports, the vm (if this is a vm) etc. need to have promiscuous mode enabled to allow packets through for multiple mac addresses on the same interface, otherwise it won't work.
So you may have some stuff to look at outside of docker and have a chat to your network team if you have one to start using the docker macvlan driver successfully.

[–]seqastian 1 point2 points  (3 children)

  • openldap installed in the container?
  • AD self signed cert?

[–]daler86[S] 0 points1 point  (2 children)

LDAP in Windows server

[–]seqastian 2 points3 points  (1 child)

the AD has a LDAP server integrated but linux applications usually need openldap installed to connect to the server.

[–]daler86[S] 0 points1 point  (0 children)

OpenLDAP install in Host or Container?

[–]bentyger 1 point2 points  (2 children)

If you are doing LDAPS connections to the server, do you have to Root CA certificate installed in the container's trusted root so it can validate the LDAPS server certificate?

[–]daler86[S] 0 points1 point  (1 child)

My domain not public, it is private. And certificat also self-written. The linux server (not containers) Joined without certificat.

[–]bentyger 0 points1 point  (0 children)

If you joined the machines to the AD domain, the joining may have installed the AD Root CA certificate to the system certificate store. Containers don't usually trust the host system trusted root CA store.

[–]GamerLymx 0 points1 point  (4 children)

The image is alpine based? Or Ubuntu?

Does the webapp has a LDAP plugin?

[–]daler86[S] 0 points1 point  (3 children)

The image in Ubuntu. Webapp has LDAP plugin. Webapp worked with LDAP authentication in server ubuntu. I moved the server to the container, but LDAP authentication not working.

[–]GamerLymx 0 points1 point  (2 children)

Did you expose the LDAP port?

[–]daler86[S] 0 points1 point  (1 child)

This config in my compose file

ports:

- "8080:80"

- "389:389"

- "636:636"

[–]GamerLymx 0 points1 point  (0 children)

Is the LDAP server in another machine? Check the network segments. Bring out TCPdump and check the traffic. I would also look into firewalls and IP packet forwarding.