[Bug 662949] New: yast2 ldap-client can't connect to SSL/TLS protected server after downloading a CA file
https://bugzilla.novell.com/show_bug.cgi?id=662949 https://bugzilla.novell.com/show_bug.cgi?id=662949#c0 Summary: yast2 ldap-client can't connect to SSL/TLS protected server after downloading a CA file Classification: openSUSE Product: openSUSE 11.4 Version: Milestone 5 of 6 Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: YaST2 AssignedTo: jsuchome@novell.com ReportedBy: rhafer@novell.com QAContact: jsrain@novell.com Found By: Development Blocker: --- How to reproduce. 1. Copy the CA (in PEM format) used to sign the certificate of you LDAP Server to you LDAP client. 2. Start yast2-ldap-client, enter the LDAP Server Name 3. Click "download CA-Certificate". 4. Enter "file:</path/to/the/CA/file" and click ok. 5. Click "Fetch DN". You'll get a LDAP connection error popup indicating that the SSL handshake failed. (Because of the missing CA) Expected behavior: ldap-client should configure the downloaded CA to be used before connecting to the server. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=662949 https://bugzilla.novell.com/show_bug.cgi?id=662949#c1 --- Comment #1 from Jiří Suchomel <jsuchome@novell.com> 2011-01-07 11:50:49 UTC --- I hope this could be achieved by fixing bug 662937, right? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=662949 https://bugzilla.novell.com/show_bug.cgi?id=662949#c2 Jiří Suchomel <jsuchome@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |rhafer@novell.com --- Comment #2 from Jiří Suchomel <jsuchome@novell.com> 2011-01-07 12:00:01 UTC --- Please check if it was fixed with new package -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=662949 https://bugzilla.novell.com/show_bug.cgi?id=662949#c3 --- Comment #3 from Ralf Haferkamp <rhafer@novell.com> 2011-01-07 13:26:54 CET --- (In reply to comment #1)
I hope this could be achieved by fixing bug 662937, right? Maybe. I'll check. I that didn't fix it we might need to extend the ldap-agent a bit, to be able to reset the libldap TLS context.
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=662949 https://bugzilla.novell.com/show_bug.cgi?id=662949#c4 Ralf Haferkamp <rhafer@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium Status|NEEDINFO |NEW CC| |jsuchome@novell.com InfoProvider|rhafer@novell.com | AssignedTo|jsuchome@novell.com |rhafer@novell.com --- Comment #4 from Ralf Haferkamp <rhafer@novell.com> 2011-01-07 13:41:20 CET --- The bug 662937 fix is of course not enough. As /etc/openldap/ldap.conf is not yet written at that point in the workflow the LDAP library does not know where to look for the CA file. I guess we need to add additional calls to the ldap-agent to setup SSL/TLS parameters, AFAIK it doesn't provide that yet. I'll see if I can implement that somehow, lucklily ldapcpplib has that functionality already. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=662949 https://bugzilla.novell.com/show_bug.cgi?id=662949#c5 Ralf Haferkamp <rhafer@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|rhafer@novell.com |jsuchome@novell.com --- Comment #5 from Ralf Haferkamp <rhafer@novell.com> 2011-01-10 13:54:18 CET --- Implementing the TLS Settings in ldap-agent doesn't seem to be very hard. I have however a hard time integrating that into Ldap.ycp (and ldap-client) in general. As I don't know that code well enough. Would be nice if you could take a look at that. To change the TLS Settings you can use the TlsOptions Class of the LDAP C++ library (as it is available on Factory). To change the options globally (for all new LDAPConnections) you just instanciate a TlsOptions object and call the setOption like this: TlsOptions tls(); tls.setOption( TlsOptions::CACERTFILE, cacertfile ); tls.setOption( TlsOptions::CACERTDIR, cacertdir ); tls.setOption( TlsOptions::REQUIRE_CERT, TlsOptions::DEMAND ); To change the TLS Setting of an existing LDAPConnection object you need to construct the TlsOptions Object like this: TlsOptions tls = ldap->getTlsOptions(); Note, that changing the TLS options does only work before the SSL/TLS on a LDAP connection has been established (and that's probably the hard part, but there is not much I can change about that). I.e. you must change the TlsOptions before the first call to start_tls(). That means that in order to apply changed TLS settings when the LDAP agent has already established a SSL/TLS connection you need to close and destroy that connection (unbind()) and create a new one. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=662949 https://bugzilla.novell.com/show_bug.cgi?id=662949#c Jiří Suchomel <jsuchome@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=662949 https://bugzilla.novell.com/show_bug.cgi?id=662949#c6 Jiří Suchomel <jsuchome@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |rhafer@novell.com --- Comment #6 from Jiří Suchomel <jsuchome@novell.com> 2011-01-13 10:53:19 UTC --- Hopefully done. Please test with yast2-ldap-2.20.0 and yast2-ldap-client-2.20.6 (I did not play with that unbind part yet) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=662949 https://bugzilla.novell.com/show_bug.cgi?id=662949#c7 Ralf Haferkamp <rhafer@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|rhafer@novell.com | --- Comment #7 from Ralf Haferkamp <rhafer@novell.com> 2011-01-14 09:55:57 CET --- (In reply to comment #6)
Hopefully done. Please test with yast2-ldap-2.20.0 and yast2-ldap-client-2.20.6 Basically this seems to work now, thanks.
(I did not play with that unbind part yet) Hm, I just recognized, that if I disable TLS/SSL (which is only possible when configuring nss_ldap instead of sssd), click "Fetch DN" and after that re-enable TLS, download a valid CA and click "Fetch DN" again, the ldap-client Module doesn't reconnect to the LDAP Server, it just continues using the old un-encrypted LDAP connection. This can be problematic if e.g. the LDAP Server restricts the Access to certain parts of the Tree depending on if the client uses encryption or not. I think unbinding the existing connection after the TLS Settings were changed is the right thing to do.
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=662949 https://bugzilla.novell.com/show_bug.cgi?id=662949#c8 --- Comment #8 from Jiří Suchomel <jsuchome@novell.com> 2011-01-14 09:46:45 UTC --- OK, I'll work on it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=662949 https://bugzilla.novell.com/show_bug.cgi?id=662949#c9 --- Comment #9 from Jiří Suchomel <jsuchome@novell.com> 2011-02-04 10:48:33 UTC --- (In reply to comment #8)
OK, I'll work on it.
Package for testing is in home:jsuchome -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=662949 https://bugzilla.novell.com/show_bug.cgi?id=662949#c10 --- Comment #10 from Ralf Haferkamp <rhafer@novell.com> 2011-02-04 13:28:26 CET --- (In reply to comment #9)
Package for testing is in home:jsuchome Looks good. At least the "Fetch DN" thing I described in comment#7 is working now.
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=662949 https://bugzilla.novell.com/show_bug.cgi?id=662949#c11 Jiří Suchomel <jsuchome@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #11 from Jiří Suchomel <jsuchome@novell.com> 2011-02-04 14:21:26 UTC --- Finally fixed in yast2-ldap-client-2.20.14 and yast2-ldap-2.20.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com