[Bug 662949] New: yast2 ldap-client can't connect to SSL/TLS protected server after downloading a CA file - openSUSE Bugs - openSUSE Mailing Lists

newer
[Bug 663745] New: Backport...

[Bug 662949] New: yast2 ldap-client can't connect to SSL/TLS protected server after downloading a CA file

older
[Bug 669235] New: Scanner in...

bugzilla_noreply＠novell.com

7 Jan 2011 7 Jan '11

09:51

https://bugzilla.novell.com/show_bug.cgi?id=662949 https://bugzilla.novell.com/show_bug.cgi?id=662949#c0 Summary: yast2 ldap-client can't connect to SSL/TLS protected server after downloading a CA file Classification: openSUSE Product: openSUSE 11.4 Version: Milestone 5 of 6 Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: YaST2 AssignedTo: jsuchome@novell.com ReportedBy: rhafer@novell.com QAContact: jsrain@novell.com Found By: Development Blocker: --- How to reproduce. 1. Copy the CA (in PEM format) used to sign the certificate of you LDAP Server to you LDAP client. 2. Start yast2-ldap-client, enter the LDAP Server Name 3. Click "download CA-Certificate". 4. Enter "file:https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

Show replies by date

bugzilla_noreply＠novell.com

7 Jan 7 Jan

11:50

New subject: [Bug 662949] yast2 ldap-client can't connect to SSL/TLS protected server after downloading a CA file

https://bugzilla.novell.com/show_bug.cgi?id=662949 https://bugzilla.novell.com/show_bug.cgi?id=662949#c1 --- Comment #1 from Jiří Suchomel 2011-01-07 11:50:49 UTC --- I hope this could be achieved by fixing bug 662937, right? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

12:00

New subject: [Bug 662949] yast2 ldap-client can't connect to SSL/TLS protected server after downloading a CA file

https://bugzilla.novell.com/show_bug.cgi?id=662949 https://bugzilla.novell.com/show_bug.cgi?id=662949#c2 Jiří Suchomel changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |rhafer@novell.com --- Comment #2 from Jiří Suchomel 2011-01-07 12:00:01 UTC --- Please check if it was fixed with new package -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

12:26

New subject: [Bug 662949] yast2 ldap-client can't connect to SSL/TLS protected server after downloading a CA file

https://bugzilla.novell.com/show_bug.cgi?id=662949 https://bugzilla.novell.com/show_bug.cgi?id=662949#c3 --- Comment #3 from Ralf Haferkamp 2011-01-07 13:26:54 CET --- (In reply to comment #1)

I hope this could be achieved by fixing bug 662937, right? Maybe. I'll check. I that didn't fix it we might need to extend the ldap-agent a bit, to be able to reset the libldap TLS context.

-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

12:41

New subject: [Bug 662949] yast2 ldap-client can't connect to SSL/TLS protected server after downloading a CA file

https://bugzilla.novell.com/show_bug.cgi?id=662949 https://bugzilla.novell.com/show_bug.cgi?id=662949#c4 Ralf Haferkamp changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium Status|NEEDINFO |NEW CC| |jsuchome@novell.com InfoProvider|rhafer@novell.com | AssignedTo|jsuchome@novell.com |rhafer@novell.com --- Comment #4 from Ralf Haferkamp 2011-01-07 13:41:20 CET --- The bug 662937 fix is of course not enough. As /etc/openldap/ldap.conf is not yet written at that point in the workflow the LDAP library does not know where to look for the CA file. I guess we need to add additional calls to the ldap-agent to setup SSL/TLS parameters, AFAIK it doesn't provide that yet. I'll see if I can implement that somehow, lucklily ldapcpplib has that functionality already. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

10 Jan 10 Jan

12:54

New subject: [Bug 662949] yast2 ldap-client can't connect to SSL/TLS protected server after downloading a CA file

https://bugzilla.novell.com/show_bug.cgi?id=662949 https://bugzilla.novell.com/show_bug.cgi?id=662949#c5 Ralf Haferkamp changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|rhafer@novell.com |jsuchome@novell.com --- Comment #5 from Ralf Haferkamp 2011-01-10 13:54:18 CET --- Implementing the TLS Settings in ldap-agent doesn't seem to be very hard. I have however a hard time integrating that into Ldap.ycp (and ldap-client) in general. As I don't know that code well enough. Would be nice if you could take a look at that. To change the TLS Settings you can use the TlsOptions Class of the LDAP C++ library (as it is available on Factory). To change the options globally (for all new LDAPConnections) you just instanciate a TlsOptions object and call the setOption like this: TlsOptions tls(); tls.setOption( TlsOptions::CACERTFILE, cacertfile ); tls.setOption( TlsOptions::CACERTDIR, cacertdir ); tls.setOption( TlsOptions::REQUIRE_CERT, TlsOptions::DEMAND ); To change the TLS Setting of an existing LDAPConnection object you need to construct the TlsOptions Object like this: TlsOptions tls = ldap->getTlsOptions(); Note, that changing the TLS options does only work before the SSL/TLS on a LDAP connection has been established (and that's probably the hard part, but there is not much I can change about that). I.e. you must change the TlsOptions before the first call to start_tls(). That means that in order to apply changed TLS settings when the LDAP agent has already established a SSL/TLS connection you need to close and destroy that connection (unbind()) and create a new one. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

13:42

New subject: [Bug 662949] yast2 ldap-client can't connect to SSL/TLS protected server after downloading a CA file

https://bugzilla.novell.com/show_bug.cgi?id=662949 https://bugzilla.novell.com/show_bug.cgi?id=662949#c Jiří Suchomel changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

13 Jan 13 Jan

10:53

New subject: [Bug 662949] yast2 ldap-client can't connect to SSL/TLS protected server after downloading a CA file

https://bugzilla.novell.com/show_bug.cgi?id=662949 https://bugzilla.novell.com/show_bug.cgi?id=662949#c6 Jiří Suchomel changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |rhafer@novell.com --- Comment #6 from Jiří Suchomel 2011-01-13 10:53:19 UTC --- Hopefully done. Please test with yast2-ldap-2.20.0 and yast2-ldap-client-2.20.6 (I did not play with that unbind part yet) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

14 Jan 14 Jan

08:55

New subject: [Bug 662949] yast2 ldap-client can't connect to SSL/TLS protected server after downloading a CA file

https://bugzilla.novell.com/show_bug.cgi?id=662949 https://bugzilla.novell.com/show_bug.cgi?id=662949#c7 Ralf Haferkamp changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|rhafer@novell.com | --- Comment #7 from Ralf Haferkamp 2011-01-14 09:55:57 CET --- (In reply to comment #6)

Hopefully done. Please test with yast2-ldap-2.20.0 and yast2-ldap-client-2.20.6 Basically this seems to work now, thanks.

(I did not play with that unbind part yet) Hm, I just recognized, that if I disable TLS/SSL (which is only possible when configuring nss_ldap instead of sssd), click "Fetch DN" and after that re-enable TLS, download a valid CA and click "Fetch DN" again, the ldap-client Module doesn't reconnect to the LDAP Server, it just continues using the old un-encrypted LDAP connection. This can be problematic if e.g. the LDAP Server restricts the Access to certain parts of the Tree depending on if the client uses encryption or not. I think unbinding the existing connection after the TLS Settings were changed is the right thing to do.

-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

09:46

New subject: [Bug 662949] yast2 ldap-client can't connect to SSL/TLS protected server after downloading a CA file

https://bugzilla.novell.com/show_bug.cgi?id=662949 https://bugzilla.novell.com/show_bug.cgi?id=662949#c8 --- Comment #8 from Jiří Suchomel 2011-01-14 09:46:45 UTC --- OK, I'll work on it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

4 Feb 4 Feb

10:48

New subject: [Bug 662949] yast2 ldap-client can't connect to SSL/TLS protected server after downloading a CA file

https://bugzilla.novell.com/show_bug.cgi?id=662949 https://bugzilla.novell.com/show_bug.cgi?id=662949#c9 --- Comment #9 from Jiří Suchomel 2011-02-04 10:48:33 UTC --- (In reply to comment #8)

OK, I'll work on it.

Package for testing is in home:jsuchome -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

12:28

New subject: [Bug 662949] yast2 ldap-client can't connect to SSL/TLS protected server after downloading a CA file

https://bugzilla.novell.com/show_bug.cgi?id=662949 https://bugzilla.novell.com/show_bug.cgi?id=662949#c10 --- Comment #10 from Ralf Haferkamp 2011-02-04 13:28:26 CET --- (In reply to comment #9)

Package for testing is in home:jsuchome Looks good. At least the "Fetch DN" thing I described in comment#7 is working now.

-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

14:21

New subject: [Bug 662949] yast2 ldap-client can't connect to SSL/TLS protected server after downloading a CA file

https://bugzilla.novell.com/show_bug.cgi?id=662949 https://bugzilla.novell.com/show_bug.cgi?id=662949#c11 Jiří Suchomel changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #11 from Jiří Suchomel 2011-02-04 14:21:26 UTC --- Finally fixed in yast2-ldap-client-2.20.14 and yast2-ldap-2.20.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

4836

Age (days ago)

4864

Last active (days ago)

Download

12 comments

1 participants

tags

participants (1)

bugzilla_noreply＠novell.com