[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Regression after ITS#8427 fix with back-ldap

To: openldap-its@OpenLDAP.org
Subject: Re: Regression after ITS#8427 fix with back-ldap
From: ondra@mistotebe.net
Date: Wed, 10 Jul 2019 17:50:34 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

On Wed, Jul 10, 2019 at 04:48:55PM +0000, hyc@symas.com wrote:
> ondra@mistotebe.net wrote:
>> On Thu, Jun 27, 2019 at 08:08:19PM +0000, a.chelouah@gmail.com wrote:
>>> Hello,
>>>
>>> Commit 6f623dfa1ca65698c19ccc6c058cd170e633384e fixing ITS#8427 (Set up 
>>> TLS settings on each reconnection) introduce a regression when the proxy 
>>> connect to the**Backend ldap server via ldaps://
>>>
>>> The relevent part of my config is:
>>>
>>> dn: olcDatabase={2}ldap,cn=config
>>> objectClass: olcDatabaseConfig
>>> objectClass: olcLDAPConfig
>>> olcDatabase: {2}ldap
>>> olcSuffix: dc=local
>>> olcDbURI: ldaps://ldap.local
>>> olcDbChaseReferrals: TRUE
>>> olcDbRebindAsUser: TRUE
>>> olcDbIDAssertBind: bindmethod=none tls_cacert=/etc/pki/tls/certs/ca.crt
>>> olcDbIDAssertAuthzFrom: "*"
>>>
>>> (I also tried by setting LDAPTLS_CACERT env var when starting slapd)
>>>
>>> On backend ldap server logs, I get the message "TLS negociation failure"
>> 
>> I've set up a test script here
>> https://github.com/mistotebe/openldap/tree/its8427-regression
>> 
>> This runs without issues but if you replace olcDbStartTLS with an
>> analogous olcDbIDAssertBind in the configs, it seems the CA certificate
>> is not set for the connection.
> 
> Then this is a new bug. Clearly the idassert-bind option takes tls_cacert
> as a parameter, so if it is provided it is expected to be used.

Sure, on idassert connections only, though. When does back-ldap use one?
I want to edit the linked script to do exercise that so we have a decent
test for this now.

>> I guess we've introduced a behaviour change with ITS#8427, not sure what
>> the documentation implies should happen in these cases, whether the new
>> behaviour is inconsistent with it or you've been relying on incorrect
>> behaviour that has since been corrected.

-- 
OndÅ?ej KuznÃk
Senior Software Engineer
Symas Corporation                       http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP

Prev by Date: Re: Regression after ITS#8427 fix with back-ldap
Next by Date: Re: Regression after ITS#8427 fix with back-ldap
Index(es):
- Chronological
- Thread