Re: dsconf broken for ldaps instances in 1.4.3 but working in 1.4.2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi William,


>>>> sed -i -e 's/ldap.OPT_X_TLS_HARD/ldap.OPT_X_TLS_NEVER/'
>>>> /usr/lib/python3.6/site-packages/lib389/__init__.py
>>>> sed -i -e 's/ldap.OPT_X_TLS_HARD/ldap.OPT_X_TLS_NEVER/'
>>>> /usr/lib/python3.6/site-packages/lib389/cli_base/dsrc.py
> 
> You don't need to do this. You can set tls_reqcert = never in your dsrc file.
> You do not need to edit the lib389 source code.

Yep, thanks! Indeed if i put to .dsrc a custom cacertdir with correct certs or tls_reqcert=never dsconf v1.4.3 works:
[slapd-ldaps://ldap-model.polytechnique.fr:636]
uri = ldaps://ldap-model.polytechnique.fr:636
###########tls_reqcert = never
tls_cacertdir = /tmp/tls_cacertdir

Is there any way to use a global parameter in .dsrc, without a section per server - we have several LDAP servers, all signed by the same CA? making a section per server will be a bit tedious.




> 
> Can you show us your /etc/openldap/ldap.conf please?
"ldapsearch -x -H ldaps://" works, so it is not a matter of the content of this file. By default it is empty in our case (we use commercial certificates), but i tried to point TLS_CACERT to the CA certificates that signed the server's cert. It does not fix anything for dsconf 1.4.3 (but it does influence ldapsearch and dsconf v1.4.2 of course), here are all the tests i've done (commented #TLS_CACERT parameters).

# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON    on
#TLS_CACERT     /etc/pki/tls/cert.pem
#TLS_CACERT     /Admin/SOURCES/389/Config/CA-sectigo-intermediates-root.crt
#TLS_CACERT     /Admin/SOURCES/389/Config/GEANT-OV-RSA-CA-4.crt
#TLS_CACERT     /Admin/SOURCES/389/Config/USERTrust-RSA-Certification-Authority.crt
#TLS_CACERT     /Admin/SOURCES/389/Config/AAA-Certificate-Services.crt


I disabled TLS_CACERT and it makes openldap clients use the system pem. It works for ldapsearch and dsconf v1.4.2 but not for dsconf v1.4.3


>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-shared-system-certificates_security-hardening
>> (by "update-ca-trust" and/or "trust anchor path.to/certificate.crt").
> 
> The system pem bundles are NOT used by openldap which means that lib389 can't
> use them. You must configure the tls_cacertdir or tls_cacert is dsrc to point
> at your CA cert.

Actually in RHEL/CentOS they ARE used by openldap client if TLS_CACERT  is not specified explicitly. Here is the snippet of /etc/openldap/ldap.conf file with explanations:
# When no CA certificates are specified the Shared System Certificates
# are in use. In order to have these available along with the ones specified
# by TLS_CACERTDIR one has to include them explicitly:
#TLS_CACERT     /etc/pki/tls/cert.pem

And it is easy to confirm that the system global bundle is indeed used with any self-signed CA authority:
[root@ldap-centos8 ~]# ldapsearch -x -H ldaps://ldap-ens.polytechnique.fr  -b "" -s base
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[root@ldap-centos8 ~]# trust anchor /tmp/my_ca_8192.crt 
[root@ldap-centos8 ~]# ldapsearch -x -LLL  -H ldaps://ldap-ens.polytechnique.fr  -b "" -s base
dn:
objectClass: top
defaultnamingcontext: dc=id,dc=polytechnique,dc=edu
dataversion: 020201121013314020201121013314
netscapemdsuffix: cn=ldap://dc=ldap-ens,dc=polytechnique,dc=fr:389
lastusn;userroot: 33863940
lastusn;netscaperoot: -1
[root@ldap-centos8 ~]# trust anchor --remove /tmp/my_ca_8192.crt 
[root@ldap-centos8 ~]# ldapsearch -x -LLL  -H ldaps://ldap-ens.polytechnique.fr  -b "" -s base
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)




But all in all i think i start to see where the problem comes from. dsconf version 1.4.2 uses /etc/openldap/ldap.conf (which in turn uses system pem bundle if no TLS_CACERT is specified) for certs/CA. Starting from 1.4.3 dsconf ignores completely /etc/openldap/ldap.conf file and pays attention only to its own .dsrc file. It explains everything that i see. It's a bit pity that there is no global section in .dsrc like in /etc/openldap/ldap.conf - one needs to create a section per ldap server, often with the same parameters.

Thanks again for help, it's clear for me now!

Have a nice day! :)



_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux