Bug 623752

Summary: yast ldap module doesn't setup ldaps correctly
Product: [openSUSE] openSUSE 11.3 Reporter: David Alston <david.alston>
Component: YaST2Assignee: Jiří Suchomel <jsuchome>
Status: RESOLVED INVALID QA Contact: Jiri Srain <jsrain>
Severity: Major    
Priority: P5 - None CC: ralf
Version: Final   
Target Milestone: ---   
Hardware: 64bit   
OS: openSUSE 11.3   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description David Alston 2010-07-20 05:40:39 UTC 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.10) Gecko/20100506 SUSE/3.5.10-0.1.1 Firefox/3.5.10

I used almost identical settings for the "yast2 ldap" module in 11.3 as I did in 11.2 but it /var/log/messages kept complaining that it couldn't connect to the LDAP server until I manually copied the /etc/ldap.conf file the "yast2 ldap" module from 11.2 made onto the 11.3 box.

Reproducible: Always

Steps to Reproduce:
1. yast2 ldap
2. set LDAP server host
3. set LDAP base DN correctly
4. select "LDAP TLS/SSL" checkbox
5. select "ok"
6. getent passwd <ldap-login-id>

Actual Results:  
-snip from /var/log/messages-
Jul 19 18:06:04 linux-cotw worker_nscd: nss_ldap: ldap_start_tls failed: Can't contact LDAP server
Jul 19 18:06:04 linux-cotw worker_nscd: nss_ldap: ldap_start_tls failed: Can't contact LDAP server
Jul 19 18:06:04 linux-cotw worker_nscd: nss_ldap: could not search LDAP server - Server is unavailable
-snip-

Expected Results:  
"getent passwd <ldap-login-id>" should show the passwd string for the specified <ldap-login-id>.

* when I ran a tcpdump after I used the yast2 ldap module to setup LDAPS authentication I noticed that nscd was trying to use the default ldap port (389) instead of the ldaps port (636)

* a comparison of the /etc/ldap.conf files generated by the yast2 ldap module between YaST in 11.2 and 11.3 shows that the following value is missing in the config generated by 11.3's YaST

tls_checkpear = no
Comment 1 David Alston 2010-07-20 16:00:38 UTC 
about the port that is being used...

it looks like the "ssl on" line in /etc/ldap.conf isn't being added when checking the "SSL/TLS" checkbox and so the LDAP queries are going to the ldap port instead of the ldaps port
Comment 2 Jiří Suchomel 2010-07-21 07:14:40 UTC 
(In reply to comment #0)

> * a comparison of the /etc/ldap.conf files generated by the yast2 ldap module
> between YaST in 11.2 and 11.3 shows that the following value is missing in the
> config generated by 11.3's YaST
> 
> tls_checkpear = no

This is correct, AFAIK. Now the default value of tls_checkpear is true.

Ralf, could you comment?


(In reply to comment #1)
> about the port that is being used...
> 
> it looks like the "ssl on" line in /etc/ldap.conf isn't being added when
> checking the "SSL/TLS" checkbox and so the LDAP queries are going to the ldap
> port instead of the ldaps port

Checking "SSL/TLS" should add "ssl start_tls" line, not "ssl on". Or was anything changed?
Comment 3 Ralf Haferkamp 2010-07-21 07:29:45 UTC 
(In reply to comment #2)
> > tls_checkpear = no
> 
> This is correct, AFAIK. Now the default value of tls_checkpear is true.
> 
> Ralf, could you comment?
Not much to comment on here. Using TLS without Certificate verification isn't exactly secure. That's why we don't add the "tls_checkpear no" any longer in 11.3. That means that you need to provide the yast2 Module the CA Certificate that was used to sign the Server Certificate otherwise nss_ldap will fail to connect to the LDAP Server (I guess that's what you are seeing).

> (In reply to comment #1)
> > about the port that is being used...
> > 
> > it looks like the "ssl on" line in /etc/ldap.conf isn't being added when
> > checking the "SSL/TLS" checkbox and so the LDAP queries are going to the ldap
> > port instead of the ldaps port
> 
> Checking "SSL/TLS" should add "ssl start_tls" line, not "ssl on". Or was
> anything changed?
No. We always used "ssl start_tls". StartTLS is the standardized way to do TLS with LDAP and it doesn't use the (only semi-official) ldaps port (636).

[I adjusted the product as this is a bugreport against 11.3 and not 11.2]
Comment 4 Jiří Suchomel 2010-07-21 07:36:40 UTC 
So, any more comments, or could we close the bug?
Comment 5 David Alston 2010-07-21 16:19:53 UTC 
yeah, we can close this out.  Just plugged up a few gaps in my LDAP knowledge.  Thanks for taking a look at this!

Now I'm running into what looks like an nscd cache problem, but I'll open that in another bug.

I don't see how to close this ticket, otherwise I would do it myself.  I can't seem to change the Status drop-down below.  I guess someone else will have to close it.
Comment 6 Jiří Suchomel 2010-07-22 05:57:25 UTC 
not real bug = invalid