[Bug 623752] New: yast ldap module doesn't setup ldaps correctly
http://bugzilla.novell.com/show_bug.cgi?id=623752 http://bugzilla.novell.com/show_bug.cgi?id=623752#c0 Summary: yast ldap module doesn't setup ldaps correctly Classification: openSUSE Product: openSUSE 11.2 Version: Final Platform: 64bit OS/Version: openSUSE 11.3 Status: NEW Severity: Major Priority: P5 - None Component: YaST2 AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: alston@utdallas.edu QAContact: jsrain@novell.com Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.10) Gecko/20100506 SUSE/3.5.10-0.1.1 Firefox/3.5.10 I used almost identical settings for the "yast2 ldap" module in 11.3 as I did in 11.2 but it /var/log/messages kept complaining that it couldn't connect to the LDAP server until I manually copied the /etc/ldap.conf file the "yast2 ldap" module from 11.2 made onto the 11.3 box. Reproducible: Always Steps to Reproduce: 1. yast2 ldap 2. set LDAP server host 3. set LDAP base DN correctly 4. select "LDAP TLS/SSL" checkbox 5. select "ok" 6. getent passwd <ldap-login-id> Actual Results: -snip from /var/log/messages- Jul 19 18:06:04 linux-cotw worker_nscd: nss_ldap: ldap_start_tls failed: Can't contact LDAP server Jul 19 18:06:04 linux-cotw worker_nscd: nss_ldap: ldap_start_tls failed: Can't contact LDAP server Jul 19 18:06:04 linux-cotw worker_nscd: nss_ldap: could not search LDAP server - Server is unavailable -snip- Expected Results: "getent passwd <ldap-login-id>" should show the passwd string for the specified <ldap-login-id>. * when I ran a tcpdump after I used the yast2 ldap module to setup LDAPS authentication I noticed that nscd was trying to use the default ldap port (389) instead of the ldaps port (636) * a comparison of the /etc/ldap.conf files generated by the yast2 ldap module between YaST in 11.2 and 11.3 shows that the following value is missing in the config generated by 11.3's YaST tls_checkpear = no -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=623752
http://bugzilla.novell.com/show_bug.cgi?id=623752#c1
--- Comment #1 from David Alston
http://bugzilla.novell.com/show_bug.cgi?id=623752
http://bugzilla.novell.com/show_bug.cgi?id=623752#c
yang xiaoyu
http://bugzilla.novell.com/show_bug.cgi?id=623752
http://bugzilla.novell.com/show_bug.cgi?id=623752#c2
Jiří Suchomel
* a comparison of the /etc/ldap.conf files generated by the yast2 ldap module between YaST in 11.2 and 11.3 shows that the following value is missing in the config generated by 11.3's YaST
tls_checkpear = no
This is correct, AFAIK. Now the default value of tls_checkpear is true. Ralf, could you comment? (In reply to comment #1)
about the port that is being used...
it looks like the "ssl on" line in /etc/ldap.conf isn't being added when checking the "SSL/TLS" checkbox and so the LDAP queries are going to the ldap port instead of the ldaps port
Checking "SSL/TLS" should add "ssl start_tls" line, not "ssl on". Or was anything changed? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
tls_checkpear = no
This is correct, AFAIK. Now the default value of tls_checkpear is true.
Ralf, could you comment? Not much to comment on here. Using TLS without Certificate verification isn't exactly secure. That's why we don't add the "tls_checkpear no" any longer in 11.3. That means that you need to provide the yast2 Module the CA Certificate
http://bugzilla.novell.com/show_bug.cgi?id=623752
http://bugzilla.novell.com/show_bug.cgi?id=623752#c3
Ralf Haferkamp
(In reply to comment #1)
about the port that is being used...
it looks like the "ssl on" line in /etc/ldap.conf isn't being added when checking the "SSL/TLS" checkbox and so the LDAP queries are going to the ldap port instead of the ldaps port
Checking "SSL/TLS" should add "ssl start_tls" line, not "ssl on". Or was anything changed? No. We always used "ssl start_tls". StartTLS is the standardized way to do TLS with LDAP and it doesn't use the (only semi-official) ldaps port (636).
[I adjusted the product as this is a bugreport against 11.3 and not 11.2] -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=623752
http://bugzilla.novell.com/show_bug.cgi?id=623752#c4
Jiří Suchomel
http://bugzilla.novell.com/show_bug.cgi?id=623752
http://bugzilla.novell.com/show_bug.cgi?id=623752#c5
David Alston
http://bugzilla.novell.com/show_bug.cgi?id=623752
http://bugzilla.novell.com/show_bug.cgi?id=623752#c6
Jiří Suchomel
participants (1)
-
bugzilla_noreply@novell.com