Unable to load shared library `libldap` with .NET 10 on Ubuntu 24.04 (Noble)

[Cosby86]

Describe the bug

Using an LdapClient connection, I receive the following error.

System.TypeInitializationException: The type initializer for 'Ldap' threw an exception.
 ---> System.DllNotFoundException: Unable to load shared library 'libldap-2.5.so.0' or one of its dependencies. In order to help diagnose loading problems, consider using a tool like strace. If you're using glibc, consider setting the LD_DEBUG environment variable:
/app/libldap-2.5.so.0.so: cannot open shared object file: No such file or directory
/app/liblibldap-2.5.so.0.so: cannot open shared object file: No such file or directory
/app/libldap-2.5.so.0: cannot open shared object file: No such file or directory
/app/liblibldap-2.5.so.0: cannot open shared object file: No such file or directory

   at Interop.Ldap.<ldap_get_option_int>g____PInvoke|7_0(IntPtr ldapHandle, LdapOption option, Int32* outValue)
   at Interop.Ldap.ldap_get_option_int(IntPtr ldapHandle, LdapOption option, Int32& outValue)
   at Interop.Ldap..cctor()
   --- End of inner exception stack trace ---
   at Interop.Ldap.ldap_initialize(IntPtr& ld, String uri)
   at System.DirectoryServices.Protocols.ConnectionHandle..ctor()
   at System.DirectoryServices.Protocols.LdapConnection.InternalInitConnectionHandle()
   at System.DirectoryServices.Protocols.LdapConnection.Init()
   at System.DirectoryServices.Protocols.LdapConnection..ctor(LdapDirectoryIdentifier identifier, NetworkCredential credential, AuthType authType)
   at System.DirectoryServices.Protocols.LdapConnection..ctor(LdapDirectoryIdentifier identifier)
   at MyApp.AuthenticationProvider.LDAPAuthenticationService.GetLdapConnection(String username, String password, Boolean anonymousConnection)
   at MyApp.AuthenticationProvider.LDAPAuthenticationService.LogonUser(String username, String password)
Time:15:08:54 [EROR] [MyApp.AuthenticationManager.API.Features.LoginRequest.LoginRequestHandler] Error during Login for user "fd": "Generic"

Docker image has been built with the following Dockerfile:

FROM mcr.microsoft.com/dotnet/sdk:10.0 AS prepare

RUN apt-get update && \
    apt-get install -y --no-install-recommends \
        ca-certificates file && \
    rm -rf /var/lib/apt/lists/*
	
COPY ./docker/ssl/ca.crt /usr/local/share/ca-certificates/

COPY ./docker/ssl/myapp.crt /default/data/ssl/public.crt
COPY ./docker/ssl/myappkey /default/data/ssl/private.key

COPY ./docker/health-probe /app/health-probe

RUN update-ca-certificates && \
    mkdir -p /app && \
    mkdir -p /default/data/ssl /default/data/logs /app/data/Licenses && \
    chown -R 65532:65532 /default/data /app/data && \
    chmod -R 775 /default/data /app/data && \
    chmod +x /app/health-probe 
    

COPY ./src/core/be/output/artifacts/core/. /app/



ARG CHISEL_VERSION="v1.3.0"
ARG CHISEL_WRAPPER_VERSION="v1.2.0"

RUN chisel_url=https://github.com/canonical/chisel/releases/download/${CHISEL_VERSION}/chisel_${CHISEL_VERSION}_linux_amd64.tar.gz \
    && curl -fSLOJ ${chisel_url} \
    && curl -fSL ${chisel_url}.sha384 | sha384sum -c - \
    && tar -xzf chisel_${CHISEL_VERSION}_linux_amd64.tar.gz -C /usr/bin/ chisel \
    && curl -fSL --output /usr/bin/chisel-wrapper https://raw.githubusercontent.com/canonical/rocks-toolbox/${CHISEL_WRAPPER_VERSION}/chisel-wrapper \
    && chmod 755 /usr/bin/chisel-wrapper

COPY --from=mcr.microsoft.com/dotnet/runtime:10.0-noble-chiseled-extra / /rootfs/

RUN chisel-wrapper --generate-dpkg-status /rootfs/var/lib/dpkg/status -- \
        --release ubuntu-24.04 --root /rootfs/ \
            libicu74_libs \
            libldap2 \
            tzdata-legacy_zoneinfo \
            tzdata_zoneinfo

FROM scratch AS final
COPY --link --from=prepare /rootfs /
COPY --link --from=prepare /app /app
WORKDIR /app

COPY --link --from=prepare /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/

COPY --link --from=prepare /default/data /default/data
COPY --link --from=prepare /app/data /app/data
COPY --link --from=prepare /default/data/ssl /default/data/ssl

HEALTHCHECK --interval=5s --timeout=3s --start-period=30s \
  CMD ["./health-probe"]

ENTRYPOINT ["./MyApp.API"] 

The code used for the GetLdapConnection:

    private LdapConnection GetLdapConnection(string username, string password, bool anonymousConnection)
    {
        var ldapConnection = new LdapConnection(new LdapDirectoryIdentifier(_ldapHost, _ldapPort));
        ldapConnection.AuthType = AuthType.Anonymous;
        ldapConnection.SessionOptions.ProtocolVersion = 3;
        if (_isSslEncrypt)
        {
            ldapConnection.SessionOptions.SecureSocketLayer = true;
            ldapConnection.SessionOptions.VerifyServerCertificate = ServerCallback;
        }

        if (!anonymousConnection)
        {
            if (_domain != String.Empty)
            {
                username = $"{username}@{_domain}";
            }
            ldapConnection.AuthType = AuthType.Basic;
            ldapConnection.Credential = new NetworkCredential(username, password);   
        }
        else
        {
            ldapConnection.AuthType = AuthType.Anonymous;
        }
                
        ldapConnection.Bind();

        return ldapConnection;
    }
}

Which .NET image(s) are you using?

mcr.microsoft.com/dotnet/runtime:10.0-noble-chiseled-extra

Other information

No response

Output of docker version

Client: Docker Engine - Community
 Version:           29.1.4
 API version:       1.52
 Go version:        go1.25.5
 Git commit:        0e6fee6
 Built:             Thu Jan  8 19:57:04 2026
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          29.1.4
  API version:      1.52 (minimum version 1.44)
  Go version:       go1.25.5
  Git commit:       08440b6
  Built:            Thu Jan  8 19:57:04 2026
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v2.2.1
  GitCommit:        dea7da592f5d1d2b7755e3a161be07f43fad8f75
 runc:
  Version:          1.3.4
  GitCommit:        v1.3.4-0-gd6d73eb8
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Output of docker info

Client: Docker Engine - Community
 Version:    29.1.4
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.30.1
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v5.0.1
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 10
  Running: 10
  Paused: 0
  Stopped: 0
 Images: 46
 Server Version: 29.1.4
 Storage Driver: overlayfs
  driver-type: io.containerd.snapshotter.v1
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 CDI spec directories:
  /etc/cdi
  /var/run/cdi
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: dea7da592f5d1d2b7755e3a161be07f43fad8f75
 runc version: v1.3.4-0-gd6d73eb8
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.8.0-90-generic
 Operating System: Ubuntu 24.04.3 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 15.62GiB
 Name: vm-tnt-lab
 ID: 3738a052-b45a-453f-8d35-1381eadf9f92
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  ::1/128
  127.0.0.0/8
 Live Restore Enabled: false
 Firewall Backend: iptables

[Cosby86]

In the same docker image, if I use domain authentication, I have the following error instead:

Error during Login for user "fd": "System.DirectoryServices.AccountManagement is not supported on this platform."
System.PlatformNotSupportedException: System.DirectoryServices.AccountManagement is not supported on this platform.

[DiniFarb]

Same on aspnet:10.0 and runtime:10.0 the libldap seems to be no longer installed, a check with:
docker run -it mcr.microsoft.com/dotnet/aspnet:10.0 apt list | grep ldap
returns nothing.

[lbussell]

[Triage] @Cosby86 - can you confirm whether your scenario works when you install libldap2 on the default (non-chiseled) image? e.g. mcr.microsoft.com/dotnet/runtime:10.0-noble.

I suspect that something is not getting set up properly when installing the libldap2 slice. I will investigate the filesystem difference between installing the slice on Chiseled and installing the package on regular Ubuntu with apt.

[Cosby86]

Hello @lbussell
I tried doing the test, but the error is the same:

I used the following dockerfile

# Prepare stage - prepara certificati e cartelle
FROM mcr.microsoft.com/dotnet/runtime:10.0-noble

# install needed packages in a single layer
RUN apt-get update && \
    apt-get install -y --no-install-recommends \
        ca-certificates libldap2 && \
    rm -rf /var/lib/apt/lists/*
	
COPY ./docker/ssl/ca.crt /usr/local/share/ca-certificates/

# Copy SSL certificates
COPY ./docker/ssl/app.crt /default/data/ssl/public.crt
COPY ./docker/ssl/app.key /default/data/ssl/private.key

# Copy health check probe tool
COPY ./docker/health-probe /app/health-probe

# Create needed folders with correct permissions for nonroot user (65532:65532)
RUN update-ca-certificates && \
    mkdir -p /app && \
    mkdir -p /default/data/ssl /default/data/logs /app/data/Licenses && \
    chown -R 65532:65532 /default/data /app/data && \
    chmod -R 775 /default/data /app/data && \
    chmod +x /app/health-probe 
    
#Copy app
COPY ./src/app/. /app/

WORKDIR /app

# Setting the health check
HEALTHCHECK --interval=5s --timeout=3s --start-period=30s \
  CMD ["./health-probe"]

ENTRYPOINT ["./app"]

and I got the same error:

System.TypeInitializationException: The type initializer for 'Ldap' threw an exception.
 ---> System.DllNotFoundException: Unable to load shared library 'libldap-2.5.so.0' or one of its dependencies. In order to help diagnose loading problems, consider using a tool like strace. If you're using glibc, consider setting the LD_DEBUG environment variable:
/app/libldap-2.5.so.0.so: cannot open shared object file: No such file or directory
/app/liblibldap-2.5.so.0.so: cannot open shared object file: No such file or directory
/app/libldap-2.5.so.0: cannot open shared object file: No such file or directory
/app/liblibldap-2.5.so.0: cannot open shared object file: No such file or directory

   at Interop.Ldap.<ldap_get_option_int>g____PInvoke|7_0(IntPtr ldapHandle, LdapOption option, Int32* outValue)
   at Interop.Ldap.ldap_get_option_int(IntPtr ldapHandle, LdapOption option, Int32& outValue)
   at Interop.Ldap..cctor()
   --- End of inner exception stack trace ---
   at Interop.Ldap.ldap_initialize(IntPtr& ld, String uri)
   at System.DirectoryServices.Protocols.ConnectionHandle..ctor()
   at System.DirectoryServices.Protocols.LdapConnection.InternalInitConnectionHandle()
   at System.DirectoryServices.Protocols.LdapConnection.Init()
   at System.DirectoryServices.Protocols.LdapConnection..ctor(LdapDirectoryIdentifier identifier, NetworkCredential credential, AuthType authType)
   at System.DirectoryServices.Protocols.LdapConnection..ctor(LdapDirectoryIdentifier identifier)
   at App.AuthenticationProvider.LDAPAuthenticationService.GetLdapConnection(String username, String password, Boolean anonymousConnection)
   at App.AuthenticationProvider.LDAPAuthenticationService.LogonUser(String username, String password)

With the follwoing (non microsoft image) it works like a charm:

FROM debian:bookworm-slim
 
# requirement for culture management
RUN apt-get update && \
    apt-get install -y --no-install-recommends libicu72 libssl-dev curl ca-certificates && \
    apt-get clean && \
    apt-get autoremove -y && \
    rm -rf /var/lib/apt/lists/*
 
COPY entrypoint_wrapper.sh /usr/local/bin/entrypoint_wrapper.sh
RUN chmod +x /usr/local/bin/entrypoint_wrapper.sh

# import TLS certificates
RUN mkdir -p /default/data/ssl

COPY ssl/app.crt /default/data/ssl/public.crt
COPY ssl/app.key /default/data/ssl/private.key

# create default logs folder
RUN mkdir -p /default/data/logs

RUN mkdir -p /usr/local/share/ca-certificates/
COPY ./ca.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates

WORKDIR /app
COPY output/artifacts/core/Linux-x64/. /app/.

# crete default folders
RUN mkdir -p /app/data/Licenses

CMD ["./app"]

[lbussell]

Hmm. I would have expected this to work when using the non-distroless image with libldap2. It looks like #111553 might not have worked. Also related: #108448, #69456.

When installing libldap2 on Noble:

# find . -iname '*libldap*'
./var/lib/dpkg/info/libldap2:arm64.md5sums
./var/lib/dpkg/info/libldap-common.list
./var/lib/dpkg/info/libldap2:arm64.shlibs
./var/lib/dpkg/info/libldap-common.md5sums
./var/lib/dpkg/info/libldap2:arm64.list
./var/lib/dpkg/info/libldap2:arm64.symbols
./var/lib/dpkg/info/libldap-common.conffiles
./var/lib/dpkg/info/libldap2:arm64.triggers
./usr/lib/aarch64-linux-gnu/libldap.so.2
./usr/lib/aarch64-linux-gnu/libldap.so.2.0.200
./usr/share/doc/libldap2
./usr/share/doc/libldap-common

libldap.so.2 is present as expected. #111553 says that it should try to load from there first.

When installing libldap2 on Bookworm, it looks like .NET will most likely load libldap-2.5.so.0:

# find . -iname '*libldap*'
./var/lib/dpkg/info/libldap-2.5-0:arm64.shlibs
./var/lib/dpkg/info/libldap-2.5-0:arm64.list
./var/lib/dpkg/info/libldap-common.list
./var/lib/dpkg/info/libldap-2.5-0:arm64.triggers
./var/lib/dpkg/info/libldap-common.md5sums
./var/lib/dpkg/info/libldap-2.5-0:arm64.md5sums
./var/lib/dpkg/info/libldap-common.conffiles
./var/lib/dpkg/info/libldap-2.5-0:arm64.symbols
./usr/lib/aarch64-linux-gnu/libldap-2.5.so.0.1.8
./usr/lib/aarch64-linux-gnu/libldap-2.5.so.0
./usr/share/doc/libldap-2.5-0
./usr/share/doc/libldap-common

The relevant assembly loading code is here:

runtime/src/libraries/Common/src/Interop/Linux/OpenLdap/Interop.Ldap.cs

Lines 72 to 92 in f8d2bbf

	Assembly currentAssembly = typeof(Ldap).Assembly;
	// Register callback that tries to load other libraries when the default library "libldap.so.2" is not found.
	// It is a convention to create the symbolic link "libldap.so.2" to point to a versioned library but not all distros do that.
	AssemblyLoadContext.GetLoadContext(currentAssembly).ResolvingUnmanagedDll += (assembly, ldapName) =>
	{
	if (assembly != currentAssembly || ldapName != Libraries.OpenLdap)
	{
	return IntPtr.Zero;
	}
	// Try versioned libraries.
	if (NativeLibrary.TryLoad("libldap-2.6.so.0", out IntPtr handle) ||
	NativeLibrary.TryLoad("libldap-2.5.so.0", out handle) ||
	NativeLibrary.TryLoad("libldap-2.4.so.2", out handle))
	{
	return handle;
	}
	return IntPtr.Zero;
	};

I am going rename this issue and transfer it to the runtime repo for further investigation.