Copy link to clipboard
Copied
I am trying to establish a LDAP connection (<cfldap>) from within a Docker image of Coldfusion 2021. It would be hard to post any relavent code here simply because it would expose our AD tree, however, the same code I am trying to run works just fine from an installed copy of CF2021 on a linux server.
The reason for using a Docker image (vs. install) in this instance, is an attempt to setup a local development environment. So far, everything seems to be working great with the exception of LDAP calls.
The error I'm getting:
An error has occurred while trying to execute query :Could not resolve a valid ldap host
Note: I have successfully run a ldapsearch call from a bash shell within the container.
Copy link to clipboard
Copied
Update:
I've just noticed CF version differences between the server that isn't having the problems:
Linux Version: 2021,0,01,325996 (installed a few weeks ago non-Docker)
Local MACOS: 2021,0,02,328618 (Docker)
Copy link to clipboard
Copied
Update 2: We've installed a fresh ColdFusion 2021 Docker image on a Linux box directly connected to our network and we are still seeing this issue. This narrows the issue down to Adobe Cold Fusion 2021's interaction with Docker and it's ability to do <<cfldap>>.
Copy link to clipboard
Copied
Hi,
Did you get anywhere with this? Also running into the same issue.
An error has occurred while trying to execute query :Could not resolve a valid ldap host
Copy link to clipboard
Copied
To you both, what's the Java version reported in the cf admin? Or if you prefer to know via code instead, see:
It may be that an issue with the Java version is a root cause, such as if you show using 11.0.1 (from 2018) vs 11.0.12 (from July). And yes, I'm proposing that a problem here could lead to the error message being a misleading one (host not found), especially given that you said the ldapsearch WITHIN the container WAS working.
That said, I realize that changing the jvm running within the container that Cf would be set to use is a challenge within containers. It can be done. But let's see first if that's even POTENTIALLY the next step for you both.
Also, please each of you share the url and tag for your Cf2021 image. There are indeed different Cf2021 images in different places, that differ from each other. It could be that a different Cf2021.0.2 image WOULD work.
Also, you may want to note the image hash (using docker image ls). Even the same image:tag from the same repository could have different versions over time (which is indeed frustrating).
More than that, do a docker pull to see if you may get a new version of that same image:tag. (Docker doesn't pull a new one on a docker run, or when a container is run via compose. Kubernetes does, if the tag is "latest", which may surprise some that it does a pull in EACH startup of a pod).
Copy link to clipboard
Copied
Hi Charlie,
Thank you for the reply / your help.
I'm running (within a Docker container):
CF 2021 - 2021,0,02,328618
Java (via the admin UI reports as) - 11.0.11+9-LTS-194
The image used:
public.ecr.aws/adobe/coldfusion:latest
sha256:0d8af78f37bcac21f0727d01d3306f88f6991cc6157a6b2cfc07a0f0d4b7949b
A Docker pull is showing this as the latest image.
docker pull public.ecr.aws/adobe/coldfusion:latest
Status: Image is up to date for public.ecr.aws/adobe/coldfusion:latest
Copy link to clipboard
Copied
Ok, thx. That's indeed a modern Java 11 update (from April--the 11. 0.12 was from July. I'll correct my earlier comment saying it was from September).
So next, if the ldap server you're calling may not yet support tls1.2, you could be hitting the problem of how 11.0.11 or above (and Java 1.8.0.291 and above) by default will not allow calls out via https/tls if the server being called does not support at least tls1.2. That can be changed, in a JVM properties file, as I discuss in this post :
As for doing that in a container, I don't address that, but if either of you want to try it and have trouble, let us know. If it works, let us know.
If you may feel I'm leading you down rabbit holes, my apologies. But as you noted, you can't share the ldap server for us to test, so we have to offer "things to try/consider" instead.
Copy link to clipboard
Copied
Hi All,
@Charlie Arehart Thank you for the help. The LDAP connection used already supports TLS 1.2.
I've raised this issue directly with support. I'll update the thread with any findings.
Copy link to clipboard
Copied
I ended up installing ColdFusion Locally instead of using the Docker image.
However:
From within the Docker image,
I was able to successfully execute the code below (using ports : 636 and 389) which would lead me to believe Java isn't the issue:
<cfset socket = createObject("java", "java.net.Socket").init()/>
<cfset address = createObject("java",
"java.net.InetSocketAddress").init(
javaCast("string", "10.0.3.134"),
javaCast("int", 636))/>
<cftry>
<cfset socket.connect(address, 20000)/>
<cfset socket.close()/>
Success
<cfcatch>
Fail
</cfcatch>
</cftry>
Copy link to clipboard
Copied
OK, Adam, and thanks for sharing. But I asked for a number of other things to help bound the problem. I appreciate you may not want to bother, and perhaps you will hope that we hear from Adobe. But if you're game to keep trying, it would be good to hear your answers.
Copy link to clipboard
Copied
Java Version: 11.0.11
Protocol : TLSv1.2
Docker Image URL: https://hub.docker.com/r/adobecoldfusion/coldfusion
Docker Image Info: LABEL product=2021 update=2 platform=Linux type=standalone builddate=2021-09-15 description=Adobe ColdFusion 2021 image version=1.0
A question for you..
Have you been able to successfully run an LDAP call from within a CF2021 Docker image?
(I will look into the JVM command below tomorrow and let you know if I have any success).
Adam
Copy link to clipboard
Copied
Ok. And ss for your question to me, no, as I have none to try. But if you can suggest one that I could, I would, if it may help us resolve or bound the problem.
Copy link to clipboard
Copied
I have a new suggestion for you each to consider. It turns out that Java 11.0.1 introduced a new ldap-specific JVM protection, called ldap strict endpoint identification. You can disable it with this jvm arg:
-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
For more, see:
https://www.oracle.com/java/technologies/javase/11-0-1-relnotes.html
It's still not clear why the Docker images might respond differently, but if this helps, at least it's more of a clue that could be shared with Adobe. (If you created that tracker ticket in reporting things to Adobe, I hope you'll share it here, so we can join in there.)
And I hope each of you will confirm if you get to at least try this, so we know you're considering it.
Copy link to clipboard
Copied
I've tried the disableEndpointIdentification. Same error unfortunately. Adobe support have managed to replicate the issue. I'm waiting on their engineering team. I'll keep the thread updated.
Copy link to clipboard
Copied
Great to hear (that they've replicated it). A fix should be along shortly then (a new image, I'd imagine). Bummer about the problem, but thanks for news on the progress.
Copy link to clipboard
Copied
Hi All
Adobe CF support suggested updating to JAVA SE 11.0.13 (LTS) inside the docker container. I did this and it resolved the LDAP issue for me.
Support said they will check with "engineering team to update the docker repo with latest Java". I assume at some point a new image will be released.
Thanks
Copy link to clipboard
Copied
Hmm. Glad you solved it, but the first thing I'd suggested was that it may be a JVM version issue. You had said in reply that you showed cf running 11.0.11. You say now that updating to 11.0.13 solved things. Perhaps there was a JVM bug, fixed in 11.0.13 (which came out last week).
I point this out as much for others, since the most recent cf images do come with 11.0.11. And yep, it would be great if Adobe would update them.
Of course, updating the jvm can have other impacts, so that some may wish they could control the jvm version via configuration. Until then, as you found (and I said originally), it IS indeed possible to implement a specific jvm in an image and modify cf to point to that. It could certainly be made still-easier.
Copy link to clipboard
Copied
Seems to still be an issue in 2023.
Here is the output of `java --version` from the `jre/bin` directory of the image:
```
java 11.0.11 2021-04-20 LTS
Java(TM) SE Runtime Environment 18.9 (build 11.0.11+9-LTS-194)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.11+9-LTS-194, mixed mode)
```
Anyone find any other workarounds? Or better, any word on if this will ever be fixed?
Copy link to clipboard
Copied
Ok, fixed it by replacing the current JRE with `openjdk-jre-11-headless` from ubuntu packages.
Some commands that may help:
```
sed -i 's/java\.home.*/java\.home=\/usr\/lib\/jvm\/java-11-openjdk-amd64/g' '/opt/coldfusion/cfusion/bin/jvm.config'
apt update;
apt -y install openjdk-11-jre-headless;
```
Copy link to clipboard
Copied
This solved the problem for me, thank you so much for the help! Really hope Adobe will release an updated image that fixes this. I'm using adobecoldfusion/coldfusion2021:2021.0.12.