Debian Bug report logs - #512693
slapd - ldap proxy with tls enforces cert check even if disabled

version graph

Package: slapd; Maintainer for slapd is Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>; Source for slapd is src:openldap.

Reported by: Bastian Blank <waldi@debian.org>

Date: Thu, 22 Jan 2009 21:15:56 UTC

Severity: important

Tags: patch

Found in version openldap/2.4.11-1

Done: Matthijs Möhlmann <matthijs@cacholong.nl>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#512693; Package slapd. (Thu, 22 Jan 2009 21:15:59 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bastian Blank <waldi@debian.org>:
New Bug report received and forwarded. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Thu, 22 Jan 2009 21:16:24 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Bastian Blank <waldi@debian.org>
To: submit@bugs.debian.org
Subject: slapd - ldap proxy with tls enforces cert check even if disabled
Date: Thu, 22 Jan 2009 22:12:38 +0100
Package: slapd
Version: 2.4.11-1
Severity: important

I configured slapd to work as a ldap proxy. Because of some problems
with the certs of the upstream server, I decided to disable cert checks
for now.

| database        ldap
| suffix          "o=Example"
| uri             "ldaps://jura1.example.com/"
| tls             ldaps tls_reqcert=never
| protocol-version 3

One authenticated request works:

| $ ldapsearch -h localhost -x -W "cn=blank"
| Enter LDAP Password:
| # extended LDIF
| #
| # LDAPv3
| # base <o=Example> (default) with scope subtree
| # filter: cn=blank
| # requesting: ALL
[...]
| # search result
| search: 2
| result: 0 Success
| 
| # numResponses: 5

The second fails:

| $ ldapsearch -h localhost -x -W "cn=blank"
| Enter LDAP Password:
| ldap_bind: Server is unavailable (52)
|         additional info: Proxy operation retry failed

The slapd log shows:

| TLS: peer cert untrusted or revoked (0x42)
| send_ldap_result: conn=1 op=0 p=3
| send_ldap_result: err=52 matched="" text="Proxy operation retry failed"
| send_ldap_response: msgid=1 tag=97 err=52

This shows that the peer cert check value is somehow changed to one of
the enforce ones.

Bastian

-- 
Wait!  You have not been prepared!
		-- Mr. Atoz, "Tomorrow is Yesterday", stardate 3113.2




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#512693; Package slapd. (Sun, 25 Jan 2009 14:48:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bastian Blank <waldi@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Sun, 25 Jan 2009 14:48:06 GMT) Full text and rfc822 format available.

Message #10 received at 512693@bugs.debian.org (full text, mbox):

From: Bastian Blank <waldi@debian.org>
To: 512693@bugs.debian.org
Subject: Re: Bug#512693: slapd - ldap proxy with tls enforces cert check even if disabled
Date: Sun, 25 Jan 2009 15:42:16 +0100
[Message part 1 (text/plain, inline)]
tags 512693 patch
thanks

Reason found. In ldap_back_prepare_conn the tls settings are applied via
a bindconf_tls_set call _once_, while the settings are per connection.
The attached patch changes this to apply the settings for each
connection.

There is similar code in servers/slapd/config.c, which may be changed
also.

Bastian
[diff (text/plain, attachment)]

Tags added: patch Request was from Bastian Blank <waldi@debian.org> to control@bugs.debian.org. (Sun, 25 Jan 2009 14:48:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#512693; Package slapd. (Sun, 25 Jan 2009 17:27:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Quanah Gibson-Mount <quanah@zimbra.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Sun, 25 Jan 2009 17:27:05 GMT) Full text and rfc822 format available.

Message #17 received at 512693@bugs.debian.org (full text, mbox):

From: Quanah Gibson-Mount <quanah@zimbra.com>
To: Bastian Blank <waldi@debian.org>, 512693@bugs.debian.org
Subject: Re: [Pkg-openldap-devel] Bug#512693: slapd - ldap proxy with tls enforces cert check even if disabled
Date: Sun, 25 Jan 2009 09:26:00 -0800
--On Sunday, January 25, 2009 3:42 PM +0100 Bastian Blank 
<waldi@debian.org> wrote:

> tags 512693 patch
> thanks
>
> Reason found. In ldap_back_prepare_conn the tls settings are applied via
> a bindconf_tls_set call _once_, while the settings are per connection.
> The attached patch changes this to apply the settings for each
> connection.
>
> There is similar code in servers/slapd/config.c, which may be changed
> also.

Upstream was unable to reproduce this issue, so I'm guessing it is already 
fixed there.  I would advise using the upstream code instead of patching it 
with your own patch.

Secondly, the upstream back-ldap author noted that your configuration as 
reported in the bug seemed invalid:

----- Upstream email -----
Could not reproduce (with today's HEAD and properly configured 
client/server TLS).

I'd note that the client requests in the reported example use -W with -x 
and no -D, so they should fail since binding with a password an no DN... 
the bug report looks malformed.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team


--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#512693; Package slapd. (Sun, 25 Jan 2009 17:57:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bastian Blank <waldi@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Sun, 25 Jan 2009 17:57:04 GMT) Full text and rfc822 format available.

Message #22 received at 512693@bugs.debian.org (full text, mbox):

From: Bastian Blank <waldi@debian.org>
To: Quanah Gibson-Mount <quanah@zimbra.com>
Cc: 512693@bugs.debian.org
Subject: Re: [Pkg-openldap-devel] Bug#512693: slapd - ldap proxy with tls enforces cert check even if disabled
Date: Sun, 25 Jan 2009 18:54:39 +0100
On Sun, Jan 25, 2009 at 09:26:00AM -0800, Quanah Gibson-Mount wrote:
> Upstream was unable to reproduce this issue, so I'm guessing it is 
> already fixed there.  I would advise using the upstream code instead of 
> patching it with your own patch.

This code is GnuTLS specific. I don't know where this code currently
comes from.

> I'd note that the client requests in the reported example use -W with -x  
> and no -D, so they should fail since binding with a password an no DN...  

Why? A quick check shows that libldap transforms this into a anonymous
bind without a password. But it also reads a config, which contains much
other informations:

| $ cat ~/.ldaprc 
| URI ldaps://ldap.example.com
| BASE o=Example
| BINDDN cn=blank,ou=People,o=Example
| TLS_REQCERT allow

Bastian

-- 
Vulcans do not approve of violence.
		-- Spock, "Journey to Babel", stardate 3842.4




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#512693; Package slapd. (Sun, 25 Apr 2010 12:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Matthijs Möhlmann <matthijs@cacholong.nl>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Sun, 25 Apr 2010 12:33:03 GMT) Full text and rfc822 format available.

Message #27 received at 512693@bugs.debian.org (full text, mbox):

From: Matthijs Möhlmann <matthijs@cacholong.nl>
To: 512693@bugs.debian.org
Subject: Re: slapd - ldap proxy with tls enforces cert check even if disabled
Date: Sun, 25 Apr 2010 14:24:27 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

We have currently 2.4.21 in the archive, can you test this again ? There
are a lot of improvements to the gnutls code since 2.4.11-1.

Thanks in advance.

Regards,

Matthijs Mohlmann
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkvUNHsACgkQ2n1ROIkXqbA2kQCfZ3CGXMVJgf545LlREAwCm1VJ
XSEAn1MEDNVSSjh2SY0idnwWH6iGtkz0
=gZqb
-----END PGP SIGNATURE-----




Reply sent to Matthijs Möhlmann <matthijs@cacholong.nl>:
You have taken responsibility. (Mon, 28 Mar 2011 09:09:08 GMT) Full text and rfc822 format available.

Notification sent to Bastian Blank <waldi@debian.org>:
Bug acknowledged by developer. (Mon, 28 Mar 2011 09:09:08 GMT) Full text and rfc822 format available.

Message #32 received at 512693-done@bugs.debian.org (full text, mbox):

From: Matthijs Möhlmann <matthijs@cacholong.nl>
To: 512693-done@bugs.debian.org
Subject: Re: slapd - ldap proxy with tls enforces cert check even if disabled
Date: Mon, 28 Mar 2011 11:01:12 +0200
No information received in 5 months.

Closing bug report.

Regards,

Matthijs Möhlmann



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Apr 2011 07:42:25 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 19:12:39 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.