Issue #2500: New openldap breaks ipa-replica-manage TLS connection - freeipa

freeipa

#2500 New openldap breaks ipa-replica-manage TLS connection

Closed: Fixed None Opened 12 years ago by mkosek.

New version of openldap (openldap-2.4.26-6.fc16.x86_64) changed its ABI and broke our TLS connection in ipa-replica-manage. This makes it impossible to connect for example to Active Directory to set up winsync replication

We always receive a connection error that Peer's certificate is not recognized even though we pass a correct one:

# ipa-replica-manage connect --winsync --passsync=password --cacert=/home/mkosek/wincertnew.cer dhcp201-112.englab.pnq.redhat.com --binddn "cn=Administrator,cn=Users,dc=englab,dc=pnq,dc=redhat,dc=com" --bindpw Secret123 -v -p kokos123
Added CA certificate /home/mkosek/wincertnew.cer to certificate database for vm-068.idm.lab.bos.redhat.com
ipa: INFO: Failed to connect to AD server dhcp201-112.englab.pnq.redhat.com
ipa: INFO: The error was: {'info': "TLS error -8179:Peer's Certificate issuer is not recognized.", 'desc': 'Connect error'}
Failed to setup winsync replication

There is an explanation from Rich in BZ I filed:

https://bugzilla.redhat.com/show_bug.cgi?id=800787

The way openldap TLS initialization works in openldap-2.4.26-6 and later is
this:

When you have an LDAP *ld or an ldap handle created by ldap.initialize, and you
call ldap_set_option to set options in this handle, they are stored in the
options area of the handle, but not in the TLS options area of the handle,
until you call set_option(ldap.OPT_X_TLS_NEWCTX, 0).  This causes the creation
of the new TLS context and writes the saved TLS option settings into the new
TLS context.  If you then attempt to set another TLS option in the same ldap
handle, the changes will again be stored in the ldap option area, but not in
the TLS context.

Thus, we need to call conn.set_option(ldap.OPT_X_TLS_CACERTFILE, cert) before setting up a new context (conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0)).

I tested this change successfully with following version of openldap:

Fedora 16: openldap-2.4.26-6.fc16.x86_64
RHEL 6.3: openldap-2.4.23-21.el6.x86_64
RHEL 6.2: openldap-2.4.23-20.el6.x86_64

mkosek commented 12 years ago

attachment
freeipa-mkosek-233-fix-ipa-replica-manage-tls-connection-error.patch

mkosek commented 12 years ago

Patch freeipa-mkosek-233-fix-ipa-replica-manage-tls-connection-error.patch sent for review

mkosek commented 12 years ago

master: 75b3755[[BR]]
ipa-2-2: eb309b7

Metadata Update from @mkosek:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/03

7 years ago

Metadata

Assignee

mkosek

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 2.2 Core Effort - 2012/03

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

Replication

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

tester

None

changelog

None

design

None

freeipa

Source Code

#2500 New openldap breaks ipa-replica-manage TLS connection Closed: Fixed None Opened 12 years ago by mkosek.

Metadata

#2500 New openldap breaks ipa-replica-manage TLS connection

Closed: Fixed None Opened 12 years ago by mkosek.