Welcome to Software Development on Codidact!
Will you help us build our independent community of developers helping developers? We're small and trying to grow. We welcome questions about all aspects of software development, from design to code to QA and more. Got questions? Got answers? Got code you'd like someone to review? Please join us.
How to provide CA certificates to python-ldap inside a Docker container?
I'm trying to set up automated unit tests in Gitlab CI and I encountered the problem that connections to LDAPS, which work fine both in development and production, fail inside the Docker container that is spun up by the Gitlab runner.
My class initialization:
class MyAD:
app = None
ad = None
def __init__(self, app):
self.app = app
self.ad = ldap.ldapobject.ReconnectLDAPObject(self.app.config["AD_HOST"])
self.ad.protocol_version = 3
self.ad.set_option(ldap.OPT_REFERRALS, 0)
self.ad.simple_bind_s(
self.app.config["AD_BIND_DN"], self.app.config["AD_BIND_PASSWORD"]
)
self.pp = pprint.PrettyPrinter(indent=2, width=200)
Docker file
FROM ubuntu:24.04
ENV DEBIAN_FRONTEND=noninteractive
ENV TZ=Europe/Berlin
ENV PIPX_HOME=/opt/pipx
ENV PIPX_BIN_DIR=/usr/local/bin
RUN apt-get update \
&& apt-get install --no-install-recommends apt-transport-https ca-certificates curl gnupg lsb-release -y \
&& curl https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor --yes -o /etc/apt/trusted.gpg.d/trivy-repo.gpg \
&& echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | tee -a /etc/apt/sources.list.d/trivy.list \
&& apt-get update \
&& apt-get install --no-install-recommends git pipx python3 python3-virtualenv trivy build-essential python3-dev \
libldap2-dev libsasl2-dev slapd ldap-utils tox \
lcov valgrind -y \
&& rm -rf /var/cache/apt/archives /var/lib/apt/lists/* \
&& addgroup --gid 1005 gitlab-runner \
&& useradd -rm -d /home/gitlab-runner -s /bin/bash -u 1005 gitlab-runner -g gitlab-runner \
&& pipx ensurepath \
&& pipx install poetry \
&& pipx install uv
USER 1005:1005
WORKDIR /work
This is the error message:
ldap_pvt_connect: fd: 12 tm: -1 async: 0
attempting to connect:
connect success
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
=> LDAPError - SERVER_DOWN: {'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': [], 'info': '(unknown error code)'}
The certificate in question is a valid certificate with a HARICA root certificate, the chain is supplied by the server. The root certificate is present in the container. When I check the certificate with openssl from inside the container it is shown as valid.
And now the weird part:
When I set the CA cert dir explicitly in the code the certificate is accepted as valid:
class IGDAD:
app = None
ad = None
def __init__(self, app):
self.app = app
ldap.set_option(ldap.OPT_DEBUG_LEVEL, 4095)
ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, "/etc/ssl/certs")
self.ad = ldap.ldapobject.ReconnectLDAPObject(...)
But I'd rather not hard code the path to the OS ssl certificates in the code as not to reduce compatibility. Why are the CA certificates not found in the container by python-ldap and what do I need to change to fix this?
python and package versions from pytest output:
platform linux -- Python 3.10.19, pytest-9.0.2, pluggy-1.6.0
plugins: cov-7.0.0
0 comment threads