#49749 Ticket 49748 - Passthru plugin startTLS option not working
Closed 3 years ago by spichugi. Opened 6 years ago by mreynolds.
mreynolds/389-ds-base ticket49748  into  master

@@ -26,6 +26,7 @@ 

  #include "portable.h"

  #include "slapi-plugin.h"

  #include <nspr.h>

+ #include <errno.h>

  

  /* Private API: to get slapd_pr_strerror() and SLAPI_COMPONENT_NAME_NSPR */

  #include "slapi-private.h"
@@ -42,7 +43,6 @@ 

  

  #define PASSTHRU_OP_NOT_HANDLED 0

  #define PASSTHRU_OP_HANDLED 1

- 

  #define PASSTHRU_CONN_TRIES 2

  

  /* #define    PASSTHRU_VERBOSE_LOGGING    */

@@ -228,7 +228,7 @@ 

          srvr->ptsrvr_port = ludp->lud_port;

          srvr->ptsrvr_secure = secure;

          if (starttls) {

-             srvr->ptsrvr_secure = 2;

+             srvr->ptsrvr_secure = SLAPI_LDAP_INIT_FLAG_startTLS;

          }

  

          /*

@@ -115,7 +115,7 @@ 

  int

  passthru_get_connection(PassThruServer *srvr, LDAP **ldp)

  {

-     int rc;

+     int rc = LDAP_SUCCESS; /* optimistic */

      PassThruConnection *conn, *connprev;

      LDAP *ld;

  
@@ -125,7 +125,6 @@ 

      check_for_stale_connections(srvr);

  

      slapi_lock_mutex(srvr->ptsrvr_connlist_mutex);

-     rc = LDAP_SUCCESS; /* optimistic */

  

      slapi_log_err(SLAPI_LOG_PLUGIN, PASSTHRU_PLUGIN_SUBSYSTEM,

                    "=> passthru_get_connection server %s:%d conns: %d maxconns: %d\n",
@@ -134,8 +133,8 @@ 

  

      for (;;) {

          /*

-      * look for an available, already open connection

-      */

+          * look for an available, already open connection

+          */

          connprev = NULL;

          for (conn = srvr->ptsrvr_connlist; conn != NULL;

               conn = conn->ptconn_next) {
@@ -153,9 +152,9 @@ 

  

          if (srvr->ptsrvr_connlist_count < srvr->ptsrvr_maxconnections) {

              /*

-          * we have not exceeded the maximum number of connections allowed,

-          * so we initialize a new one and add it to the end of our list.

-          */

+              * we have not exceeded the maximum number of connections allowed,

+              * so we initialize a new one and add it to the end of our list.

+              */

              if ((ld = slapi_ldap_init(srvr->ptsrvr_hostname,

                                        srvr->ptsrvr_port, srvr->ptsrvr_secure, 1)) == NULL) {

  #ifdef PASSTHRU_VERBOSE_LOGGING
@@ -166,9 +165,37 @@ 

                  goto unlock_and_return;

              }

  

+             if (srvr->ptsrvr_secure == SLAPI_LDAP_INIT_FLAG_startTLS) {

+                 if (srvr->ptsrvr_ldapversion == LDAP_VERSION3 ) {

+                     rc = ldap_start_tls_s(ld, NULL, NULL);

+                     if (LDAP_SUCCESS != rc) {

+                         if (errno != 0) {

+                             /* Log the system errno */

+                             slapi_log_err(SLAPI_LOG_ERR, PASSTHRU_PLUGIN_SUBSYSTEM, "passthru_get_connection - "

+                                           "Error: could not send startTLS request: error %d (%s) errno %d (%s)\n",

+                                           rc, ldap_err2string(rc), errno,

+                                           slapd_system_strerror(errno));

+                         } else {

+                             /* Only LDAP error, no system error */

+                             slapi_log_err(SLAPI_LOG_ERR, PASSTHRU_PLUGIN_SUBSYSTEM, "passthru_get_connection - "

+                                           "Error: could not send startTLS request: error %d (%s)\n",

+                                           rc, ldap_err2string(rc));

+                         }

+                         goto unlock_and_return;

+                     }

+                 } else {

+                     /* We only support StartTLS on LDAPv3  */

+                     slapi_log_err(SLAPI_LOG_ERR, PASSTHRU_PLUGIN_SUBSYSTEM, "passthru_get_connection - "

+                                   "Error: configured to use StartTLS but ldap version (v%d) is not supported "

+                                   "(version 3 is required).  Aborting connection...\n",srvr->ptsrvr_ldapversion);

+                     rc = LDAP_UNWILLING_TO_PERFORM;

+                     goto unlock_and_return;

+                 }

+             }

+ 

              /*

-          * set protocol version to correct value for this server

-          */

+              * set protocol version to correct value for this server

+              */

              if (ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,

                                  &srvr->ptsrvr_ldapversion) != 0) {

                  slapi_ldap_unbind(ld);

Description: While you can configure a connection to use StartTLS the plugin code did not attempt to use StartTLS.

https://pagure.io/389-ds-base/issue/49748

Reviewed by: ?

The patch looks good but I wonder if you should not set ldapversion before and then test it is v3 for start_tls

rebased onto 5254e6f5e8e82d2478316909c5df3bc254b21741

6 years ago

@tbordaz - revised patch, please review...

shouldn't the values for CONN_TRIES and USE_STARTTLS be different ?

For me the patch looks good.
Regarding @lkrispen comment an other option is to use SLAPI_LDAP_INIT_FLAG_SSL and SLAPI_LDAP_INIT_FLAG_startTLS (from salpi-private.h)

rebased onto fa43305b7982aabee522de3db487cb841430593e

6 years ago

The docs for passthru auth plugin say you set "2" to use StartTLS. So using SLAPI_LDAP_INIT_FLAG_startTLS will work. PR is now rebased, please review...

Indeed slapi_ldap_init uses those defines so I guess documented value '2' comes from the defines.
The patch looks good to me. Ack

rebased onto d870eb0

6 years ago

Pull-Request has been merged by mreynolds

6 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This pull request has been cloned to Github as issue and is available here:
- https://github.com/389ds/389-ds-base/issues/2808

If you want to continue to work on the PR, please navigate to the github issue,
download the patch from the attachments and file a new pull request.

Thank you for understanding. We apologize for all inconvenience.

Pull-Request has been closed by spichugi

3 years ago