Logged in as guest
Viewing Incoming/7164 Full headers
Major security issue: yes no
Notes: arguments are not always pathnames. pathnames may legitimately be created after the cn=config change. Admins are expected to know WTF they're doing. Notification:
Date: Mon, 13 Feb 2012 18:44:04 +0000 From: nick@eurobjects.com To: openldap-its@OpenLDAP.org Subject: Prevent change of TLS setting if invalid (Dynamic Config)
Full_Name: Nikolaos Milas Version: 2.4.28 OS: CentOS 5.7 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (94.65.22.12) If, in a working OpenLDAP installation with dynamic configuration, we inadvertently change the value of: olcTLSCertificateKeyFile: /path/to/key.pem to some invalid value, like: olcTLSCertificateKeyFile: /path/to/non/existing/key.pem then OpenLDAP Server continues to work (and we see no error message whatsoever), but if it is stopped, it refuses to restart. In the logs, while OpenLDAP is starting, we see: Feb 11 16:20:44 vdev slapd[15272]: main: TLS init def ctx failed: -1 and then service is immediately stopped. OpenLDAP Server should check whether the new parameter value points to an existing file, and, if not, it should refuse to change the attribute value. For a more complete procedure, it could also check whether the indicated file includes a valid certificate, suitable for this parameter, and, again, if not, it should refuse to change the attribute value. Also, in case it's possible that one of the TLS File parameters gets an invalid value (e.g. through slapadd), then a meaningful message during startup failure would be helpful, e.g.: "olcTLSCertificateKeyFile: File /path/to/key.pem not found or contains invalid certificate."
______________ © Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org
