Debian Bug report logs - #512693
slapd - ldap proxy with tls enforces cert check even if disabled

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Bastian Blank <waldi@debian.org>
To: submit@bugs.debian.org
Subject: slapd - ldap proxy with tls enforces cert check even if disabled
Date: Thu, 22 Jan 2009 22:12:38 +0100

Package: slapd
Version: 2.4.11-1
Severity: important

I configured slapd to work as a ldap proxy. Because of some problems
with the certs of the upstream server, I decided to disable cert checks
for now.

| database        ldap
| suffix          "o=Example"
| uri             "ldaps://jura1.example.com/"
| tls             ldaps tls_reqcert=never
| protocol-version 3

One authenticated request works:

| $ ldapsearch -h localhost -x -W "cn=blank"
| Enter LDAP Password:
| # extended LDIF
| #
| # LDAPv3
| # base <o=Example> (default) with scope subtree
| # filter: cn=blank
| # requesting: ALL
[...]
| # search result
| search: 2
| result: 0 Success
| 
| # numResponses: 5

The second fails:

| $ ldapsearch -h localhost -x -W "cn=blank"
| Enter LDAP Password:
| ldap_bind: Server is unavailable (52)
|         additional info: Proxy operation retry failed

The slapd log shows:

| TLS: peer cert untrusted or revoked (0x42)
| send_ldap_result: conn=1 op=0 p=3
| send_ldap_result: err=52 matched="" text="Proxy operation retry failed"
| send_ldap_response: msgid=1 tag=97 err=52

This shows that the peer cert check value is somehow changed to one of
the enforce ones.

Bastian

-- 
Wait!  You have not been prepared!
		-- Mr. Atoz, "Tomorrow is Yesterday", stardate 3113.2

Message #10 received at 512693@bugs.debian.org (full text, mbox):

From: Bastian Blank <waldi@debian.org>
To: 512693@bugs.debian.org
Subject: Re: Bug#512693: slapd - ldap proxy with tls enforces cert check
	even if disabled
Date: Sun, 25 Jan 2009 15:42:16 +0100

[Message part 1 (text/plain, inline)]

tags 512693 patch
thanks

Reason found. In ldap_back_prepare_conn the tls settings are applied via
a bindconf_tls_set call _once_, while the settings are per connection.
The attached patch changes this to apply the settings for each
connection.

There is similar code in servers/slapd/config.c, which may be changed
also.

Bastian

[diff (text/plain, attachment)]

Message #17 received at 512693@bugs.debian.org (full text, mbox):

From: Quanah Gibson-Mount <quanah@zimbra.com>
To: Bastian Blank <waldi@debian.org>, 512693@bugs.debian.org
Subject: Re: [Pkg-openldap-devel] Bug#512693: slapd - ldap proxy with tls
 enforces cert check even if disabled
Date: Sun, 25 Jan 2009 09:26:00 -0800

--On Sunday, January 25, 2009 3:42 PM +0100 Bastian Blank 
<waldi@debian.org> wrote:

> tags 512693 patch
> thanks
>
> Reason found. In ldap_back_prepare_conn the tls settings are applied via
> a bindconf_tls_set call _once_, while the settings are per connection.
> The attached patch changes this to apply the settings for each
> connection.
>
> There is similar code in servers/slapd/config.c, which may be changed
> also.

Upstream was unable to reproduce this issue, so I'm guessing it is already 
fixed there.  I would advise using the upstream code instead of patching it 
with your own patch.

Secondly, the upstream back-ldap author noted that your configuration as 
reported in the bug seemed invalid:

----- Upstream email -----
Could not reproduce (with today's HEAD and properly configured 
client/server TLS).

I'd note that the client requests in the reported example use -W with -x 
and no -D, so they should fail since binding with a password an no DN... 
the bug report looks malformed.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team


--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Message #22 received at 512693@bugs.debian.org (full text, mbox):

From: Bastian Blank <waldi@debian.org>
To: Quanah Gibson-Mount <quanah@zimbra.com>
Cc: 512693@bugs.debian.org
Subject: Re: [Pkg-openldap-devel] Bug#512693: slapd - ldap proxy with tls
	enforces cert check even if disabled
Date: Sun, 25 Jan 2009 18:54:39 +0100

On Sun, Jan 25, 2009 at 09:26:00AM -0800, Quanah Gibson-Mount wrote:
> Upstream was unable to reproduce this issue, so I'm guessing it is 
> already fixed there.  I would advise using the upstream code instead of 
> patching it with your own patch.

This code is GnuTLS specific. I don't know where this code currently
comes from.

> I'd note that the client requests in the reported example use -W with -x  
> and no -D, so they should fail since binding with a password an no DN...  

Why? A quick check shows that libldap transforms this into a anonymous
bind without a password. But it also reads a config, which contains much
other informations:

| $ cat ~/.ldaprc 
| URI ldaps://ldap.example.com
| BASE o=Example
| BINDDN cn=blank,ou=People,o=Example
| TLS_REQCERT allow

Bastian

-- 
Vulcans do not approve of violence.
		-- Spock, "Journey to Babel", stardate 3842.4

Send a report that this bug log contains spam.