[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP cannot start if some TLS cert value gets invalid

To: Nick Milas <nick@eurobjects.com>
Subject: Re: OpenLDAP cannot start if some TLS cert value gets invalid
From: Michael StrÃder <michael@stroeder.com>
Date: Sun, 12 Feb 2012 22:58:37 +0100
Cc: openldap-technical <openldap-technical@openldap.org>
In-reply-to: <4F38129D.5030106@eurobjects.com>
References: <4F37CBAA.80508@eurobjects.com> <4F37D98A.2090808@stroeder.com> <4F38129D.5030106@eurobjects.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20120129 Firefox/10.0 SeaMonkey/2.7

Nick Milas wrote:

On 12/2/2012 5:23 ÎÎ, Michael StrÃder wrote:

No! If one configures TLS support OpenLDAP must not start if any parameter
has an invalid value. One could think about starting solely with LDAPI
support to make back-config accessible.


Thanks Michael,

Let me ask, for clarification: If we have configured correctly TLS support,
and yet we bind like: "ldapsearch -H ldap://"; but not using -ZZ, this doesn't
mean that we will have a simple non-encrypted connection?

But what to do if a server configuration requires use of an encryptedconnection? You're suggestion would require to temporarily enable encryptedconnections which opens another can of worms.

In general I'm against adding more complexity to an implementation to*recover* from serious admin faults. I'm in favour of solely adding parametervalidation to prevent admin faults. But this works only to some extent.

IMO your operational procedure should mandate that slapd has to be restarted
to test if any parameter was changed which affects startup. Or better in
your operational concept define a white-list of parameters allowed to be
changed via back-config without restart.


Any starting point for creating such a white-list of parameters?


The TLS parameters? ;-)

This ITS might also be interpreted that back-config should validate whether
all the TLS-related files are actually readable. But this is tricky because
slapd drops privileges after startup and at least the private key file is
likely not be readable by the slapd demon user.


A question on this: If the private cert is owned by root:root (and OpenLDAP
runs under ldap) (chmod 640 or 600 for security), my experience shows that
OpenLDAP will not read them (in CentOS, it is usually in
"/etc/pki/tls/private". So, I am using a copy of the private key, owned only
by ldap user, to make it readable by OpenLDAP. Should/could I do something
different?

Yes, you're right. slapd's demon user already needs read access to the privatekey file. I've mixed it up with Apache's behaviour where the private key filecan be owned by root and have permission 0600.

So back-config could check whether the TLS file parameter point to correctfiles (certs and keys) and refuse to change the attribute value. Still you canshoot yourself in the foot by moving away the files afterwards...


Ciao, Michael.

Follow-Ups:
- Re: OpenLDAP cannot start if some TLS cert value gets invalid
  - From: Nick Milas <nick@eurobjects.com>

References:
- OpenLDAP cannot start if some TLS cert value gets invalid
  - From: Nick Milas <nick@eurobjects.com>
- Re: OpenLDAP cannot start if some TLS cert value gets invalid
  - From: Michael StrÃder <michael@stroeder.com>
- Re: OpenLDAP cannot start if some TLS cert value gets invalid
  - From: Nick Milas <nick@eurobjects.com>

Prev by Date: Re: OpenLDAP cannot start if some TLS cert value gets invalid
Next by Date: Re: OpenLDAP cannot start if some TLS cert value gets invalid
Index(es):
- Chronological
- Thread