#905 Validation of TLS/SSL certificate of LDAP server fails because IP address is used to connect
Closed: Fixed None Opened 10 years ago by sbose.

sssd tries to always talk to the same LDAP server as long as this server is available. To achieve this the IP address of the LDAP server is resolved first and is used in the LDAP uri input parameter of ldap_initialize().

But typically TLS/SSL certificates do not contain the IP address of the LDAP server, but only the DNS name and the validation of the certificate of the LDAP server will fail if ldaps or StartTLS is used. If the certificate has the IP address of the server in the subject alternative name field it will work. But since the majority of the certificates will not have this field for good reasons, I think we cannot recommend this as a solution.

Form my point of view the best solution is to split the ldap_initialize() call into a socket() and a ldap_init_fd() call. This way we can connect with the IP address but use the hostname (or whatever is given in sssd.conf) in the LDAP session setup. Since there is only one place in sssd where we call ldap_initialize() this change rather small.

ldap_init_fd() is not defined in ldap.h but described in the man page. With a configure check for ldap_init_fd() and a fallback to ldap_initialize() we should be on the safe side.

Corresponding BZ entry https://bugzilla.redhat.com/show_bug.cgi?id=715609


Fields changed

owner: somebody => sbose
patch: 0 => 1
status: new => assigned

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.5.9

This was partially fixed in 1.5.9 and 1.5.10, but it left an LDAPS regression that was only fixed in 1.5.11.

Fixed by:
- master
- 87243a0
- daf160f
- d4d9a17
- 177c89d
- 424e012
- 081d023
- sssd-1-5
- 87243a0
- daf160f
- d4d9a17
- 177c89d
- 424e012
- 081d023

component: SSSD => LDAP Provider
milestone: SSSD 1.5.9 => SSSD 1.5.11
priority: major => blocker
resolution: => fixed
status: assigned => closed

Metadata Update from @sbose:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.5.11

4 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/1947

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata