• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
1

Coldfusion LDAP from Docker Image not working.

Community Beginner ,
Sep 27, 2021 Sep 27, 2021

Copy link to clipboard

Copied

I am trying to establish a LDAP connection (<cfldap>) from within a Docker image of Coldfusion 2021. It would be hard to post any relavent code here simply because it would expose our AD tree, however, the same code I am trying to run works just fine from an installed copy of CF2021 on a linux server.

The reason for using a Docker image (vs. install) in this instance, is an attempt to setup a local development environment. So far, everything seems to be working great with the exception of LDAP calls.

 

The error I'm getting:

An error has occurred while trying to execute query :Could not resolve a valid ldap host

 

 

Note: I have successfully run a ldapsearch call from a bash shell within the container.

Views

984

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Sep 27, 2021 Sep 27, 2021

Copy link to clipboard

Copied

Update: 

I've just noticed CF version differences between the server that isn't having the problems:
Linux Version: 2021,0,01,325996 (installed a few weeks ago non-Docker)
Local MACOS: 2021,0,02,328618 (Docker)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Sep 27, 2021 Sep 27, 2021

Copy link to clipboard

Copied

  • Update 2: We've installed a fresh ColdFusion 2021 Docker image on a Linux box directly connected to our network and we are still seeing this issue. This narrows the issue down to Adobe Cold Fusion 2021's interaction with Docker and it's ability to do <<cfldap>>.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Oct 12, 2021 Oct 12, 2021

Copy link to clipboard

Copied

Hi,

 

Did you get anywhere with this? Also running into the same issue.

An error has occurred while trying to execute query :Could not resolve a valid ldap host

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Oct 12, 2021 Oct 12, 2021

Copy link to clipboard

Copied

To you both, what's the Java version reported in the cf admin? Or if you prefer to know via code instead, see:

 

https://www.carehart.org/blog/client/index.cfm/2021/4/5/Confirming-ColdFusions-Java-version-via-CFML...

 

It may be that an issue with the Java version is a root cause, such as if you show using 11.0.1 (from 2018) vs 11.0.12 (from July). And yes, I'm proposing that a problem here could lead to the error message being a misleading one (host not found), especially given that you said the ldapsearch WITHIN the container WAS working.

 

That said, I realize that changing the jvm running within the container that Cf would be set to use is a challenge within containers. It can be done. But let's see first if that's even POTENTIALLY the next step for you both.

 

Also, please each of you share the url and tag for your Cf2021 image. There are indeed different Cf2021 images in different places, that differ from each other. It could be that a different Cf2021.0.2 image WOULD work. 

 

Also, you may want to note the image hash (using docker image ls). Even the same image:tag from the same repository could have different versions over time (which is indeed frustrating). 

 

More than that, do a docker pull to see if you may get a new version of that same image:tag. (Docker doesn't pull a new one on a docker run, or when a container is run via compose. Kubernetes does, if the tag is "latest", which may surprise some that it does a pull in EACH startup of a pod). 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Oct 12, 2021 Oct 12, 2021

Copy link to clipboard

Copied

Hi Charlie,

 

Thank you for the reply / your help.

 

I'm running (within a Docker container):

CF 2021 - 2021,0,02,328618

Java (via the admin UI reports as) - 11.0.11+9-LTS-194

 

The image used:

public.ecr.aws/adobe/coldfusion:latest

sha256:0d8af78f37bcac21f0727d01d3306f88f6991cc6157a6b2cfc07a0f0d4b7949b

A Docker pull is showing this as the latest image.

docker pull public.ecr.aws/adobe/coldfusion:latest
Status: Image is up to date for public.ecr.aws/adobe/coldfusion:latest

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Oct 12, 2021 Oct 12, 2021

Copy link to clipboard

Copied

Ok, thx. That's indeed a modern Java 11 update (from April--the 11. 0.12 was from July. I'll correct my earlier comment saying it was from September).

 

So next, if the ldap server you're calling may not yet support tls1.2, you could be hitting the problem of how 11.0.11 or above (and Java 1.8.0.291 and above) by default will not allow calls out via https/tls if the server being called does not support at least tls1.2. That can be changed, in a JVM properties file, as I discuss in this post :

 

https://www.carehart.org/blog/client/index.cfm/2021/4/26/new_java_updates_for_Java_8_and_11_as_of_Ap...

 

As for doing that in a container, I don't address that, but if either of you want to try it and have trouble, let us know. If it works, let us know.

 

If you may feel I'm leading you down rabbit holes, my apologies. But as you noted, you can't share the ldap server for us to test, so we have to offer "things to try/consider" instead. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Oct 12, 2021 Oct 12, 2021

Copy link to clipboard

Copied

Hi All,

 

@Charlie Arehart Thank you for the help. The LDAP connection used already supports TLS 1.2.

 

I've raised this issue directly with support. I'll update the thread with any findings.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Oct 12, 2021 Oct 12, 2021

Copy link to clipboard

Copied

I ended up installing ColdFusion Locally instead of using the Docker image.

 

However:

From within the Docker image,

I was able to successfully execute the code below (using ports : 636 and 389) which would lead me to believe Java isn't the issue:

<cfset socket = createObject("java", "java.net.Socket").init()/>
<cfset address = createObject("java",
"java.net.InetSocketAddress").init(
javaCast("string", "10.0.3.134"),
javaCast("int", 636))/>

<cftry>
<cfset socket.connect(address, 20000)/>
<cfset socket.close()/>
Success
<cfcatch>
Fail
</cfcatch>
</cftry>

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Oct 12, 2021 Oct 12, 2021

Copy link to clipboard

Copied

OK, Adam, and thanks for sharing. But I asked for a number of other things to help bound the problem. I appreciate you may not want to bother, and perhaps you will hope that we hear from Adobe. But if you're game to keep trying, it would be good to hear your answers.


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Oct 12, 2021 Oct 12, 2021

Copy link to clipboard

Copied

Java Version: 11.0.11

Protocol : TLSv1.2

Docker Image URLhttps://hub.docker.com/r/adobecoldfusion/coldfusion

Docker Image Info: LABEL product=2021 update=2 platform=Linux type=standalone builddate=2021-09-15 description=Adobe ColdFusion 2021 image version=1.0 

 

A question for you..

Have you been able to successfully run an LDAP call from within a CF2021 Docker image?

 

(I will look into the JVM command below tomorrow and let you know if I have any success).

 

Adam

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Oct 13, 2021 Oct 13, 2021

Copy link to clipboard

Copied

Ok. And ss for your question to me, no, as I have none to try. But if you can suggest one that I could, I would, if it may help us resolve or bound  the problem. 

 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Oct 12, 2021 Oct 12, 2021

Copy link to clipboard

Copied

I have a new suggestion for you each to consider. It turns out that Java 11.0.1 introduced a new ldap-specific JVM protection, called ldap strict endpoint identification. You can disable it with this jvm arg:

-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

For more, see:

https://www.oracle.com/java/technologies/javase/11-0-1-relnotes.html

 

It's still not clear why the Docker images might respond differently, but if this helps, at least it's more of a clue that could be shared with Adobe. (If you created that tracker ticket in reporting things to Adobe, I hope you'll share it here, so we can join in there.)

 

And I hope each of you will confirm if you get to at least try this, so we know you're considering it.


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Oct 13, 2021 Oct 13, 2021

Copy link to clipboard

Copied

I've tried the disableEndpointIdentification. Same error unfortunately. Adobe support have managed to replicate the issue. I'm waiting on their engineering team. I'll keep the thread updated.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Oct 13, 2021 Oct 13, 2021

Copy link to clipboard

Copied

Great to hear (that they've replicated it). A fix should be along shortly then (a new image, I'd imagine). Bummer about the problem, but thanks for news on the progress.


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Oct 25, 2021 Oct 25, 2021

Copy link to clipboard

Copied

Hi All

Adobe CF support suggested updating to JAVA SE 11.0.13 (LTS) inside the docker container. I did this and it resolved the LDAP issue for me.

 

Support said they will check with "engineering team to update the docker repo with latest Java". I assume at some point a new image will be released.

 

Thanks

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Oct 25, 2021 Oct 25, 2021

Copy link to clipboard

Copied

Hmm. Glad you solved it, but the first thing I'd suggested was that it may be a JVM version issue. You had said in reply that you showed cf running 11.0.11. You say now that updating to 11.0.13 solved things. Perhaps there was a JVM bug, fixed in 11.0.13 (which came out last week). 

 

I point this out as much for others, since the most recent cf images do come with 11.0.11. And yep, it would be great if Adobe would update them. 

 

Of course, updating the jvm can have other impacts, so that some may wish they could control the jvm version via configuration. Until then, as you found (and I said originally), it IS indeed possible to implement a specific jvm in an image and modify cf to point to that. It could certainly be made still-easier. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Feb 22, 2023 Feb 22, 2023

Copy link to clipboard

Copied

Seems to still be an issue in 2023.

Here is the output of `java --version` from the `jre/bin` directory of the image:
```
java 11.0.11 2021-04-20 LTS
Java(TM) SE Runtime Environment 18.9 (build 11.0.11+9-LTS-194)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.11+9-LTS-194, mixed mode)
```
Anyone find any other workarounds? Or better, any word on if this will ever be fixed?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Feb 22, 2023 Feb 22, 2023

Copy link to clipboard

Copied

Ok, fixed it by replacing the current JRE with `openjdk-jre-11-headless` from ubuntu packages.

Some commands that may help:

```
sed -i 's/java\.home.*/java\.home=\/usr\/lib\/jvm\/java-11-openjdk-amd64/g' '/opt/coldfusion/cfusion/bin/jvm.config'
apt update;
apt -y install openjdk-11-jre-headless;
```

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jan 30, 2024 Jan 30, 2024

Copy link to clipboard

Copied

LATEST

This solved the problem for me, thank you so much for the help! Really hope Adobe will release an updated image that fixes this. I'm using adobecoldfusion/coldfusion2021:2021.0.12. 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation