#281 TLS not working with latest openldap
Closed: Fixed None Opened 8 years ago by rmeggins.

We are doing TLS configuration incorrectly in the 389 project. The proper way to do it is to use ldap_set_option(ld,...) to set the TLS options such as certdir, cert, key, etc. first, then use ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &val) last, to tell openldap to create and init a new TLS context with the given configuration.


To ssh://git.fedorahosted.org/git/389/ds.git
e8578ca..3d2f151 master -> master
commit changeset:3d2f151/389-ds-base
Author: Rich Megginson rmeggins@redhat.com
Date: Fri Feb 3 13:16:20 2012 -0700
Reviewed by: nhosoi (Thanks!)
Branch: master
Fix Description: Be sure to call
ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &val);
last after setting all of the other TLS options.
Platforms tested: RHEL6 x86_64, Fedora 16
Flag Day: no
Doc impact: no

To ssh://git.fedorahosted.org/git/389/admin.git
fc8a615..b579d92 master -> master
commit changeset:b579d9201af8fdcb7cba1e5543fa314481667fdd/389-admin
Author: Rich Megginson rmeggins@redhat.com
Date: Fri Feb 3 15:02:23 2012 -0700
To ssh://git.fedorahosted.org/git/389/dsgw.git
742013f..c29e596 master -> master
commit changeset:c29e5960117cade33f0ecc99aa588a30ea1e5cc8/389-dsgw
Author: Rich Megginson rmeggins@redhat.com
Date: Fri Feb 3 15:03:52 2012 -0700
To ssh://git.fedorahosted.org/git/389/adminutil.git
2eb198f..da9e118 master -> master
commit changeset:da9e1186eb93d050aa4c49e66e645fed5d2bb699/adminutil
Author: Rich Megginson rmeggins@redhat.com
Date: Fri Feb 3 15:05:06 2012 -0700

2 - 0001-Ticket-281-TLS-not-working-with-latest-openldap.patch
0001-Ticket-281-TLS-not-working-with-latest-openldap.2.patch

To ssh://git.fedorahosted.org/git/389/ds.git
f4dc9c4..e7d9bdd master -> master
commit changeset:e7d9bdd/389-ds-base
Author: Rich Megginson rmeggins@redhat.com
Date: Tue Feb 21 20:21:36 2012 -0700
Reviewed by: nkinder (Thanks!)
Branch: master
Fix Description: The previous fix did not take into account ssl client
auth. The way openldap ssl init works now is that you must set all of the
ssl parameters before creating the new ctx. Since slapi_ldap_init_ext()
does not know if client auth will be used, we have to do all of the ssl
init in slapi_ldap_bind. Doing setup_ol_tls_conn() again will free the
old TLS context and parameters. It is a little more time consuming in
the clientauth case, but is safer and saves time in the other cases.
Platforms tested: RHEL6 x86_64, Fedora 16
Flag Day: no
Doc impact: no

commit changeset:0771165/389-ds-base
Author: Rich Megginson rmeggins@redhat.com
Date: Tue Feb 21 20:21:36 2012 -0700
1.2.10 branch

Added initial screened field value.

Metadata Update from @rmeggins:
- Issue assigned to rmeggins
- Issue set to the milestone: 1.2.10.2

3 years ago

Login to comment on this ticket.

Metadata