#11 Avoid STARTTLS when connecting to ldapi:// socket
Closed: Fixed None Opened 7 years ago by davidep.

The attached patch checks if the server URI starts with "ldapi://"

libuser-0.56.13-4.el6_0.1.src.rpm
openldap-2.4.23-20.el6.x86_64

I've not found another way to disable STARTTLS.

--Davide


Thanks for the patch. Can you explain in more detail why is it required, please?

For ldap:// URLs, STARTTLS is always attempted but failure is ignored. Is that insufficient?

Replying to [comment:1 mitr]:

Thanks for the patch. Can you explain in more detail why is it required, please?

Thanks for your prompt reply! Granted that I'm new to ldap..

I want to contact slapd on the unix domain socket (ldapi://) using SASL/EXTERNAL mechanism; TLS is not required in this case and the identity of the user is inferred by the OS uid of the client process.

It seems that slapd closes the connection because it receives a STARTTLS message, followed by a SASL bind attempt, while it's expecting a "SSL message" (see attachment:slapd.log.1).

For ldap:// URLs, STARTTLS is always attempted but failure is ignored. Is that insufficient?

ldap_start_tls_s() returns -11 (LDAP_CONNECT_ERROR). Maybe we can reconnect on that condition without StartTLS.

However, I would not make an attempt to see if it fails. I would rather send a STARTTLS command only if requested by a configuration parameter and exit if it fails.

The real problem is that NSS just doesn't support AF_UNIX:
{{{
$ ldapsearch -ZZ -v -H ldapi://%2ftmp%2fldapi -x -D cn=Manager,dc=libuser -w password -b ou=People,dc=libuser
ldap_initialize( ldapi://%2Ftmp%2Fldapi/??base )
ldap_start_tls: Connect error (-11)
additional info: TLS error -5985:Network address type not supported
}}}

With ldap://, STARTTLS gracefully fails when the server does not support TLS at all (but causes similar authentication problems when TLS is supported, but the connection setup fails, e.g. when the certificate is not trusted).

For ldapi://, even if the server correctly supports TLS, the setup will fail with the above error, so it's currently never possible for ldap_start_tls_s() to succeed.

Given the above, and the fact that TLS on a local machine is kind of pointless, I have applied the change (with more comments and documentation). Thanks again!

Fix released in libuser-0.57.6.

Metadata Update from @davidep:
- Issue assigned to mitr

2 years ago

Login to comment on this ticket.

Metadata