[Bug 775167] New: openldap client is missing enable/disable tls/ssl option
https://bugzilla.novell.com/show_bug.cgi?id=775167 https://bugzilla.novell.com/show_bug.cgi?id=775167#c0 Summary: openldap client is missing enable/disable tls/ssl option Classification: openSUSE Product: openSUSE 12.2 Version: RC 2 Platform: All OS/Version: openSUSE 12.2 Status: NEW Severity: Critical Priority: P5 - None Component: YaST2 AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: voyager_sat@hotmail.com QAContact: jsrain@suse.com Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1 The ldap client configuration is missing the Ldap TLS/SSL which enables or disables the uso of TLS on ldap. Right now the only option available and working is the ldap tls/ssl No ldap client is setup also no openldap is setup and other programs that require the ldap client configuration Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c1
Ralf Haferkamp
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c2
--- Comment #2 from David Sterba
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c3
--- Comment #3 from dimitrios voyiatzis
Do I have to use SSSD ? A dalog says that
"You can disable SSSD in yast2 ldap-client module" but I don't see how in the dialogs.
yast2-ldap-client-2.22.8-2.1.2.noarch
neither do i because the option is missing -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c4
Frank Gore
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c5
--- Comment #5 from Ralf Haferkamp
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c6
--- Comment #6 from Ralf Haferkamp
So what's a workaround right now? Because this bug is completely preventing me from using opensuse 12.2 Use nss_ldap and configure it manually.
Additionally there is the undocumented "ldap_auth_disable_tls_never_use_in_production" option for sssd, Add that do your [domain/default] section in sssd.conf. Note: That option is only meant for debugging purposes and if you know what you are doing. That's why we are not offering it in the UI and why upstream decided to hide it from the man pages. If you don't agree with that, feel free to bring up that topic on the sssd mailinglists. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c7
Ralf Haferkamp
Do I have to use SSSD ? When you want to use YaST to set it up, yes. Otherwise we still offer nss_ldap or nss-pam-ldapd which you can configure manually.
A dalog says that
"You can disable SSSD in yast2 ldap-client module" but I don't see how in the dialogs. That wrong. Where did you find and dialog? I also see that the Online Help is still suggesting that sssd can be switched off. We should fix that in the online help.
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c8
Andreas Vetter
I also see that the Online Help is still suggesting that sssd can be switched off. We should fix that in the online help.
The Online Help also does not explain, what is expected in the Popup Window, that appears after clicking on SSL/TLS Configuration. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c9
Ralf Haferkamp
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c10
Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c11
Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c12
--- Comment #12 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c13
Georges Sancosme
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c14
Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c15
--- Comment #15 from dimitrios voyiatzis
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c16
Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c17
--- Comment #17 from Georges Sancosme
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c18
--- Comment #18 from Frank Gore
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c19
Jiří Suchomel
Moreover, sssd do provide the possibility not to start a SSL/TLS communication by only setting the ldap_id_use_start_tls parameter to False. A check box would not arm the default behavior, it would only ease the process of installing openSuSE.
Ralf, do you think it would make sense to add a checkbox covering the value of ldap_id_use_start_tls? Or would it be too misleading for other users? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
(In reply to comment #17)
Moreover, sssd do provide the possibility not to start a SSL/TLS communication by only setting the ldap_id_use_start_tls parameter to False. A check box would not arm the default behavior, it would only ease the process of installing openSuSE.
Ralf, do you think it would make sense to add a checkbox covering the value of ldap_id_use_start_tls?
Or would it be too misleading for other users? ldap_id_use_start_tls is only valid for the identiy_provider of sssd. (The part
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c20
Ralf Haferkamp
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c21
--- Comment #21 from Ralf Haferkamp
It's worth noting that this new behavior breaks compatibility with the default SLES LDAP settings. When setting up OpenLDAP with one SLES it defaults to enable SSL/TLS. The same is true when setting up sssd on SLES.
Yes, it's possible to setup TLS on SLES, but it's not enabled by default on installation. There are many network environments where LDAP does not use (and does not need) TLS. Forcing it on users ensures that opensuse 12.2 will not be used in those environments.
Most other distributions have gone in the same direction, making TLS the default (and practically mandatory) in the latest releases. If opensuse were to retain the old behavior of allowing TLS to be disabled on the client, then it would be one of the only distros to offer that option, which would be a positive difference. As already pointed out previously sssd does not really allow a LDAP configuration without SSL/TLS (At least when using LDAP for both id (NSS) and auth (PAM)).
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c22
Jiří Suchomel
ldap_id_use_start_tls is only valid for the identiy_provider of sssd. (The part that resolves user- and groupnames). So when you use ldap for the id provider and kerberos for the auth provider such a setting might make sense.
But when you want to use the ldap for authentication is still demands to use SSL/TLS for the auth-provider part.
So if we'd add such a checkbox we should make sure to document that fact properly.
OK, back to me. Such checkbox makes sense. It needs to be documented properly, of course. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c23
--- Comment #23 from Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c24
Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c25
--- Comment #25 from Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c26
Ralf Haferkamp
User is not able to edit "ssl" value from YaST, and it should probably stay, with out usage of SSSD as default. I am not really able to parse this sentence. Could you explain in more detail what you mean by this please?
Until now, I'm writing ldap_id_use_start_tls as true iff ssl == "start_tls", which means true by default, because I set ssl to start_tls by default.
However, according to man sssd-ldap, ldap_id_use_start_tls should be false by default.
So what should we do? Offer both checkboxes, for ssl and ldap_id_use_start_tls? No.
Or just for ldap_id_use_start_tls (comment 23), but how should I decide the value of ssl than? I'd say the checkbox should update both values "ldap_id_use_start_tls" in sssd.conf and "ssl" in ldap.conf.
Could I safely use "start_tls" default, regardless the value of ldap_id_use_start_tls? Not sure what you mean by this.
(In reply to comment #25)
And additionally, which value (ldap_id_use_start_tls vs ssl == start_tls) should I use in various connection to LDAP server from YaST module? Probably it's a good idea to always try with TLS unless sssd is being configured to use krb5 authentication. Reason: As long as "chpass_provider" and/or "auth_provider" are set to "ldap" in sssd.conf sssd requires a working TLS/SSL setup. Trying to use TLS for YaST is I guess the easiest way to verify that it actually works.
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c27
--- Comment #27 from Jiří Suchomel
(In reply to comment #24)
User is not able to edit "ssl" value from YaST, and it should probably stay, with out usage of SSSD as default. I am not really able to parse this sentence. Could you explain in more detail what you mean by this please?
Sorry. I mean, the situation where user cannot directly turn on/off SSL/TLS (the value of ldap.conf's "ssl")
Or just for ldap_id_use_start_tls (comment 23), but how should I decide the value of ssl than? I'd say the checkbox should update both values "ldap_id_use_start_tls" in sssd.conf and "ssl" in ldap.conf.
OK. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c28
Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c29
--- Comment #29 from dimitrios voyiatzis
Could you please test new yast2-ldap-client package from?
tried it but again tls is not disabled . also i notices that when ldap is being setup without TLS the ldap client cannot create the default configuration objects(without TLS) i think that the best solution is to bring back the old interface (12.1) with the options as they where otherwise whatever server needs ldap client fro opensuse side is not working and example is active directory and windows windows clients dont work very well with TLS on linux so it needs to be without so they can work on a linux ldap server -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c30
--- Comment #30 from Jiří Suchomel
(In reply to comment #28)
Could you please test new yast2-ldap-client package from?
tried it but again tls is not disabled .
Could you describe what have you tested? I installed yast2-ldap-client-2.23.0-1.1.noarch.rpm, started LDAP client, checked Kerberos support, unchecked TLS usage (comment 23) and ended with configuration which has "ssl" value in /etc/ldap.conf set to "no" and "ldap_id_use_start_tls" from sssd.conf set to "False" Isn't this what you wanted? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c31
--- Comment #31 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c32
David Westfall
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c33
--- Comment #33 from Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c34
--- Comment #34 from Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c35
--- Comment #35 from David Westfall
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c36
--- Comment #36 from Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c37
--- Comment #37 from dimitrios voyiatzis
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c38
--- Comment #38 from Jiří Suchomel
the ldap client can not create the default objects on ldap server because of the tls option (the message pops up about the tls)
So you did uncheck "Use TLS for Identity Resolve" before creating those objects, right? If so, do you have y2logs? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c39
--- Comment #39 from Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c40
--- Comment #40 from Boris Neubert
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c41
--- Comment #41 from David Westfall
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c42
--- Comment #42 from Jiří Suchomel
Workaround
Uninstall yast2-ldap-client Install yast2-ldap-client from 12.1 update repo.
Could you actually try what I proposed in comment 34? There's a new package available for 12.2... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c44
--- Comment #44 from David Westfall
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c45
--- Comment #45 from Jiří Suchomel
It does not have the option to turn off SSSD and switch to the NSS maps like I asked about in the bug that I created. But someone said that my bug was duplicate of this bug.
No, it does not have option to switch to the NSS maps. We do not support it via GUI now, because we only support SSSD. I think it is a duplicate in a sense "LDAP configuration GUI changed, give me back the old one". We're not going back to NSS. We are able to help with TLS requirement by SSSD, this is specificaly what this bug is about. Sorry, I did not recognized this is not your problem. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c46
--- Comment #46 from David Westfall
Where is the documentation in SDB for SSSD. Why should there? sssd provides excellent documentation already in its man
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c47
--- Comment #47 from Ralf Haferkamp
Even with SSSD you need to be able to split your different account types to different branches and limit searches to one level vice an entire three or branch. It does, see the sssd-ldap man page. (No, you can't edit those settings via the YaST module currently, but I think it will also not touch/delete them when you add them manually.)
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c48
--- Comment #48 from Ralf Haferkamp
(In reply to comment #36) Jiri,
I was referred here from a duplicate of this issue. I admit that I have lost the thread.
Our LDAP server runs on openWRT without even the opportunity to use SSL/TLS, at least not without going through some lengths. Apart from that we do not it anyway.
My question is whether in the end the changes will enable us to use LDAP for user authorization without SSL/TLS as it was on 12.1. I guess you need "ldap_auth_disable_tls_never_use_in_production" then. See comment#6 for details and reason why we don't offer this via UI.
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c49
--- Comment #49 from David Sterba
Could you please test new yast2-ldap-client package from?
FWIW, I've installed the packages, rerun yast ldap cliet config, and it works as expected. Thanks! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=775167
https://bugzilla.novell.com/show_bug.cgi?id=775167#c50
Jiří Suchomel
participants (1)
-
bugzilla_noreply@novell.com