[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: Regression after ITS#8427 fix with back-ldap

To: openldap-its@OpenLDAP.org
Subject: Re: Regression after ITS#8427 fix with back-ldap
From: a.chelouah@gmail.com
Date: Wed, 10 Jul 2019 08:26:37 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)
This is a multi-part message in MIME format.
--------------AC617754E4A0ACE1B2AD0EAA
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit

Le 09/07/2019 Ã  14:14, ondra@mistotebe.net a Ã©critÂ :
> On Thu, Jun 27, 2019 at 08:08:19PM +0000, a.chelouah@gmail.com wrote:
>> Hello,
>>
>> Commit 6f623dfa1ca65698c19ccc6c058cd170e633384e fixing ITS#8427 (Set up
>> TLS settings on each reconnection) introduce a regression when the proxy
>> connect to the**Backend ldap server via ldaps://
>>
>> The relevent part of my config is:
>>
>> dn: olcDatabase={2}ldap,cn=config
>> objectClass: olcDatabaseConfig
>> objectClass: olcLDAPConfig
>> olcDatabase: {2}ldap
>> olcSuffix: dc=local
>> olcDbURI: ldaps://ldap.local
>> olcDbChaseReferrals: TRUE
>> olcDbRebindAsUser: TRUE
>> olcDbIDAssertBind: bindmethod=none tls_cacert=/etc/pki/tls/certs/ca.crt
>> olcDbIDAssertAuthzFrom: "*"
>>
>> (I also tried by setting LDAPTLS_CACERT env var when starting slapd)
>>
>> On backend ldap server logs, I get the message "TLS negociation failure"
> I've set up a test script here
> https://github.com/mistotebe/openldap/tree/its8427-regression
>
> This runs without issues but if you replace olcDbStartTLS with an
> analogous olcDbIDAssertBind in the configs, it seems the CA certificate
> is not set for the connection.
>
> I guess we've introduced a behaviour change with ITS#8427, not sure what
> the documentation implies should happen in these cases, whether the new
> behaviour is inconsistent with it or you've been relying on incorrect
> behaviour that has since been corrected.
>
> Regards,
>
I confirm that using the configuration

dn: olcDatabase={2}ldap,cn=config
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {2}ldap
olcSuffix: dc=local
olcDbURI:ldaps://ldap.local
olcDbChaseReferrals: TRUE
olcDbRebindAsUser: TRUE
olcDbIDAssertAuthzFrom: "*"
olcDbStartTLS: ldaps tls_cacert=/etc/pki/tls/certs/ca.crt

/i.e/,removing olcDbIDAssertBind, test is running without issue.

Regards.



--------------AC617754E4A0ACE1B2AD0EAA
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">Le 09/07/2019 Ã  14:14,
      <a class="moz-txt-link-abbreviated" href="mailto:ondra@mistotebe.net";>ondra@mistotebe.net</a> a Ã©critÂ :<br>
    </div>
    <blockquote type="cite"
      cite="mid:E1hkp0a-0005zG-VU@gauss.openldap.net">
      <pre class="moz-quote-pre" wrap="">On Thu, Jun 27, 2019 at 08:08:19PM +0000, <a class="moz-txt-link-abbreviated" href="mailto:a.chelouah@gmail.com";>a.chelouah@gmail.com</a> wrote:
</pre>
      <blockquote type="cite">
        <pre class="moz-quote-pre" wrap="">Hello,

Commit 6f623dfa1ca65698c19ccc6c058cd170e633384e fixing ITS#8427 (Set up 
TLS settings on each reconnection) introduce a regression when the proxy 
connect to the**Backend ldap server via <a class="moz-txt-link-freetext" href="ldaps://">ldaps://</a>

The relevent part of my config is:

dn: olcDatabase={2}ldap,cn=config
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {2}ldap
olcSuffix: dc=local
olcDbURI: <a class="moz-txt-link-freetext" href="ldaps://ldap.local">ldaps://ldap.local</a>
olcDbChaseReferrals: TRUE
olcDbRebindAsUser: TRUE
olcDbIDAssertBind: bindmethod=none tls_cacert=/etc/pki/tls/certs/ca.crt
olcDbIDAssertAuthzFrom: "*"

(I also tried by setting LDAPTLS_CACERT env var when starting slapd)

On backend ldap server logs, I get the message "TLS negociation failure"
</pre>
      </blockquote>
      <pre class="moz-quote-pre" wrap="">
I've set up a test script here
<a class="moz-txt-link-freetext" href="https://github.com/mistotebe/openldap/tree/its8427-regression";>https://github.com/mistotebe/openldap/tree/its8427-regression</a>

This runs without issues but if you replace olcDbStartTLS with an
analogous olcDbIDAssertBind in the configs, it seems the CA certificate
is not set for the connection.

I guess we've introduced a behaviour change with ITS#8427, not sure what
the documentation implies should happen in these cases, whether the new
behaviour is inconsistent with it or you've been relying on incorrect
behaviour that has since been corrected.

Regards,

</pre>
    </blockquote>
    <p>I confirm that using the configuration</p>
    <pre class="moz-quote-pre" wrap="">dn: olcDatabase={2}ldap,cn=config
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {2}ldap
olcSuffix: dc=local
olcDbURI: <a class="moz-txt-link-freetext">ldaps://ldap.local</a>
olcDbChaseReferrals: TRUE
olcDbRebindAsUser: TRUE
olcDbIDAssertAuthzFrom: "*"
olcDbStartTLS: ldaps tls_cacert=/etc/pki/tls/certs/ca.crt

</pre>
    <p><i>i.e</i>,removing <font size="-1" face="Courier New, Courier,
        monospace">olcDbIDAssertBind</font>, test is running without
      issue.<br>
    </p>
    <pre class="moz-quote-pre" wrap="">
</pre>
    <p>Regards.</p>
    <pre class="moz-quote-pre" wrap="">
</pre>
    <p><br>
    </p>
  </body>
</html>

--------------AC617754E4A0ACE1B2AD0EAA--
Prev by Date: Re: Regression after ITS#8427 fix with back-ldap
Next by Date: Re: Regression after ITS#8427 fix with back-ldap
Index(es):
- Chronological
- Thread