Docker Community Forums

Share and learn in the Docker community.

Connecting to corporate Active Directory


(Drizztguen77) #1

I have setup docker containers for most of our development environment but am having trouble figuring out one final piece. Our application needs to connect to our corporate Active Directory using the ldap:// protocol. I can’t seem to figure out how to go about this from the container. I’m happy to research and play with it to figure it out but can’t find anything that explains how to go about this. Can someone point me in the right direction or explain how I can go about this?

It also needs to connect to AWS Cognito, which I also can’t figure out how to do. I assume it would be similar to connecting to AD (LDAP).

Thanks,
Curtis


(Torenware) #2

It’s been some years since I’ve used LDAP, and I haven’t used Cognito at all. I’d guess that you need to use LDAP with TLS to connect to modern LDAP servers, so this would go out on port 636. I’m not sure what kind of application you’re using to query the AD server. But at least using Linux containers, I don’t think you need to do anything special to reach the AD server from within the container; Docker will route your request out from the container.

Looking at some MS documentation, you may need to worry about more than this, since it looks like MS also requires you to set up Kerberos for your clients, among other things. Again, using Linux containers (it isn’t clear if you’re using Windows or Linux containers), copying in the needed client programs into an image via your Dockerfile isn’t much difference that what would be done if you were writing a bash script on a Linux virtual system.


(Drizztguen77) #3

Sorry about that. I didn’t include enough detail. We are currently connecting to and using MS Active Directory from our Java code running in a Tomcat container (I believe it’s running on Alpine Linux). It connects on port 636 but what I am not sure how to handle is that as I understand it the containers have their own internal network. How can it see the company network? Do I need to map port 636 as a port external to the container? And how can it see the company DNS server from the docker internal network?

For example, say I normally connect like this from inside our code:

ldaps://ldap.company.com:636/

How do I configure the container to be able to see that URL (configured in the company DNS) and port?


(Torenware) #4

In order to allow incoming connections to get to a container, the container needs to expose the port (done in the Dockerfile), and when the container gets brought up, the expose port needs to be mapped (either via “docker container run…” or a clause in the docker-compose.yml’s service block for it).

But you don’t need to do anything special to see out of the container. It should just work. You can verify that by using “docker container exec” to spawn a shell in the container, and use something like ping to check that DNS resolves, or an ldap command line utility to try and talk to the LDAP server.


(Drizztguen77) #5

Ahhh great thanks. I’ll try that.


(Deeruattavar) #6

(Deeruattavar) #7

Quick answer - no, containers are not supported as part of AD so you can’t use AD accounts to run processes within a container or authenticate with it

This used to be mentioned on the MS Containers site but the original link now redirects.


Original wording (CTP 3 or 4?): “Containers cannot join Active Directory domains, and cannot run services or applications as domain users, service accounts, or machine accounts.”

I don’t know if that will change in a later release.