[Bug 662949] New: yast2 ldap-client can't connect to SSL/TLS protected server after downloading a CA file
https://bugzilla.novell.com/show_bug.cgi?id=662949 https://bugzilla.novell.com/show_bug.cgi?id=662949#c0 Summary: yast2 ldap-client can't connect to SSL/TLS protected server after downloading a CA file Classification: openSUSE Product: openSUSE 11.4 Version: Milestone 5 of 6 Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: YaST2 AssignedTo: jsuchome@novell.com ReportedBy: rhafer@novell.com QAContact: jsrain@novell.com Found By: Development Blocker: --- How to reproduce. 1. Copy the CA (in PEM format) used to sign the certificate of you LDAP Server to you LDAP client. 2. Start yast2-ldap-client, enter the LDAP Server Name 3. Click "download CA-Certificate". 4. Enter "file:https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=662949
https://bugzilla.novell.com/show_bug.cgi?id=662949#c1
--- Comment #1 from Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=662949
https://bugzilla.novell.com/show_bug.cgi?id=662949#c2
Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=662949
https://bugzilla.novell.com/show_bug.cgi?id=662949#c3
--- Comment #3 from Ralf Haferkamp
I hope this could be achieved by fixing bug 662937, right? Maybe. I'll check. I that didn't fix it we might need to extend the ldap-agent a bit, to be able to reset the libldap TLS context.
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=662949
https://bugzilla.novell.com/show_bug.cgi?id=662949#c4
Ralf Haferkamp
https://bugzilla.novell.com/show_bug.cgi?id=662949
https://bugzilla.novell.com/show_bug.cgi?id=662949#c5
Ralf Haferkamp
https://bugzilla.novell.com/show_bug.cgi?id=662949
https://bugzilla.novell.com/show_bug.cgi?id=662949#c
Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=662949
https://bugzilla.novell.com/show_bug.cgi?id=662949#c6
Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=662949
https://bugzilla.novell.com/show_bug.cgi?id=662949#c7
Ralf Haferkamp
Hopefully done. Please test with yast2-ldap-2.20.0 and yast2-ldap-client-2.20.6 Basically this seems to work now, thanks.
(I did not play with that unbind part yet) Hm, I just recognized, that if I disable TLS/SSL (which is only possible when configuring nss_ldap instead of sssd), click "Fetch DN" and after that re-enable TLS, download a valid CA and click "Fetch DN" again, the ldap-client Module doesn't reconnect to the LDAP Server, it just continues using the old un-encrypted LDAP connection. This can be problematic if e.g. the LDAP Server restricts the Access to certain parts of the Tree depending on if the client uses encryption or not. I think unbinding the existing connection after the TLS Settings were changed is the right thing to do.
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=662949
https://bugzilla.novell.com/show_bug.cgi?id=662949#c8
--- Comment #8 from Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=662949
https://bugzilla.novell.com/show_bug.cgi?id=662949#c9
--- Comment #9 from Jiří Suchomel
OK, I'll work on it.
Package for testing is in home:jsuchome -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=662949
https://bugzilla.novell.com/show_bug.cgi?id=662949#c10
--- Comment #10 from Ralf Haferkamp
Package for testing is in home:jsuchome Looks good. At least the "Fetch DN" thing I described in comment#7 is working now.
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=662949
https://bugzilla.novell.com/show_bug.cgi?id=662949#c11
Jiří Suchomel
participants (1)
-
bugzilla_noreply@novell.com