Logged in as guest
Viewing Software Bugs/6419 Full headers
Major security issue: yes no
Notes: Fixed in HEAD Fixed in RE24 Notification:
Date: Mon, 07 Dec 2009 14:24:17 +0000 From: rhafer@suse.de To: openldap-its@OpenLDAP.org Subject: bindconf parser doesn't apply tls-defaults as documented
Full_Name: Ralf Haferkamp Version: 2.4.20, HEAD OS: any URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (92.252.43.63) The bindconf parse is used in a few places where remote connection to other server are to be configured (syncrepl, back-ldap, ...). The documented behavior is (from the syncrepl section in slapd-config(5)): "The tls_reqcert setting defaults to "demand" and the other TLS settings default to the same as the main slapd TLS settings." This does however only seem to work if at least one of the "tls_" appears in the bindconfig. E.g. the following syncrepl config doesn't have any "tls_" setting and should, according to the man-page work as if "tls_reqcert=demand" was set. However the actual behavior is like "tls_reqcert=never". ------------------------------------ olcSyncrepl: {0}rid=1 provider="ldap://master/" searchbase="dc=test" type="refreshAndPersist" starttls=critical bindmethod="simple" binddn="uid=syncrepl,dc=test" credentials="XXXXXX" ------------------------------------ Question is if this is a bug in the documentation or in the code. I think it's the latter.
Date: Mon, 07 Dec 2009 12:21:18 -0800 From: Quanah Gibson-Mount <quanah@zimbra.com> To: rhafer@suse.de, openldap-its@openldap.org Subject: Re: (ITS#6419) bindconf parser doesn't apply tls-defaults as documented
--On Monday, December 07, 2009 2:24 PM +0000 rhafer@suse.de wrote: > ------------------------------------ > olcSyncrepl: {0}rid=1 provider="ldap://master/" searchbase="dc=test" > type="refreshAndPersist" starttls=critical bindmethod="simple" > binddn="uid=syncrepl,dc=test" credentials="XXXXXX" > ------------------------------------ > > Question is if this is a bug in the documentation or in the code. I think > it's the latter. Howard believes this is fixed in head with servers/slapd/config.c 1.508 -> 1.509. Can you please test and let us know the result? Thanks! --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
From: Ralf Haferkamp <rhafer@suse.de> To: quanah@zimbra.com Subject: Re: (ITS#6419) bindconf parser doesn't apply tls-defaults as documented Date: Tue, 8 Dec 2009 10:37:15 +0100 Cc: openldap-its@openldap.org
Am Montag 07 Dezember 2009 21:22:08 schrieb quanah@zimbra.com: > --On Monday, December 07, 2009 2:24 PM +0000 rhafer@suse.de wrote: > > ------------------------------------ > > olcSyncrepl: {0}rid=1 provider="ldap://master/" searchbase="dc=test" > > type="refreshAndPersist" starttls=critical bindmethod="simple" > > binddn="uid=syncrepl,dc=test" credentials="XXXXXX" > > ------------------------------------ > > > > Question is if this is a bug in the documentation or in the code. I think > > it's the latter. > > Howard believes this is fixed in head with servers/slapd/config.c 1.508 -> > 1.509. Can you please test and let us know the result? It solves the problem only partially. It still doesn't work when using "ldaps://" uris AFAICS. regards, Ralf
Date: Tue, 08 Dec 2009 02:53:09 -0800 From: Howard Chu <hyc@symas.com> To: rhafer@suse.de CC: openldap-its@openldap.org Subject: Re: (ITS#6419) bindconf parser doesn't apply tls-defaults as documented
rhafer@suse.de wrote: > Am Montag 07 Dezember 2009 21:22:08 schrieb quanah@zimbra.com: >> --On Monday, December 07, 2009 2:24 PM +0000 rhafer@suse.de wrote: >>> ------------------------------------ >>> olcSyncrepl: {0}rid=1 provider="ldap://master/" searchbase="dc=test" >>> type="refreshAndPersist" starttls=critical bindmethod="simple" >>> binddn="uid=syncrepl,dc=test" credentials="XXXXXX" >>> ------------------------------------ >>> >>> Question is if this is a bug in the documentation or in the code. I think >>> it's the latter. >> >> Howard believes this is fixed in head with servers/slapd/config.c 1.508 -> >> 1.509. Can you please test and let us know the result? > It solves the problem only partially. It still doesn't work when using > "ldaps://" uris AFAICS. The code was assuming that at least one of the other TLS config keywords would also be used in these situations. Most of the time the slapd TLS config would only be appropriate for server use, and would need to be overridden when acting as a client. Anyway, this is now fixed in HEAD. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
From: Ralf Haferkamp <rhafer@suse.de> To: hyc@symas.com Subject: Re: (ITS#6419) bindconf parser doesn't apply tls-defaults =?iso-8859-15?q?as=09documented?= Date: Tue, 8 Dec 2009 13:32:29 +0100 Cc: openldap-its@openldap.org
Am Dienstag 08 Dezember 2009 11:53:41 schrieb hyc@symas.com: > rhafer@suse.de wrote: > > Am Montag 07 Dezember 2009 21:22:08 schrieb quanah@zimbra.com: > >> --On Monday, December 07, 2009 2:24 PM +0000 rhafer@suse.de wrote: > >>> ------------------------------------ > >>> olcSyncrepl: {0}rid=1 provider="ldap://master/" searchbase="dc=test" > >>> type="refreshAndPersist" starttls=critical bindmethod="simple" > >>> binddn="uid=syncrepl,dc=test" credentials="XXXXXX" > >>> ------------------------------------ > >>> > >>> Question is if this is a bug in the documentation or in the code. I > >>> think it's the latter. > >> > >> Howard believes this is fixed in head with servers/slapd/config.c 1.508 > >> -> 1.509. Can you please test and let us know the result? > > > > It solves the problem only partially. It still doesn't work when using > > "ldaps://" uris AFAICS. > > The code was assuming that at least one of the other TLS config keywords > would also be used in these situations. Most of the time the slapd TLS > config would only be appropriate for server use, and would need to be > overridden when acting as a client. > > Anyway, this is now fixed in HEAD. Confirmed. -- Ralf
______________ © Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org
