We are doing TLS configuration incorrectly in the 389 project. The proper way to do it is to use ldap_set_option(ld,...) to set the TLS options such as certdir, cert, key, etc. first, then use ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &val) last, to tell openldap to create and init a new TLS context with the given configuration.
0001-Ticket-281-TLS-not-working-with-latest-openldap.patch 0001-Ticket-281-TLS-not-working-with-latest-openldap.patch
To ssh://git.fedorahosted.org/git/389/ds.git e8578ca..3d2f151 master -> master commit changeset:3d2f151/389-ds-base Author: Rich Megginson rmeggins@redhat.com Date: Fri Feb 3 13:16:20 2012 -0700 Reviewed by: nhosoi (Thanks!) Branch: master Fix Description: Be sure to call ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &val); last after setting all of the other TLS options. Platforms tested: RHEL6 x86_64, Fedora 16 Flag Day: no Doc impact: no
To ssh://git.fedorahosted.org/git/389/admin.git fc8a615..b579d92 master -> master commit changeset:b579d9201af8fdcb7cba1e5543fa314481667fdd/389-admin Author: Rich Megginson rmeggins@redhat.com Date: Fri Feb 3 15:02:23 2012 -0700 To ssh://git.fedorahosted.org/git/389/dsgw.git 742013f..c29e596 master -> master commit changeset:c29e5960117cade33f0ecc99aa588a30ea1e5cc8/389-dsgw Author: Rich Megginson rmeggins@redhat.com Date: Fri Feb 3 15:03:52 2012 -0700 To ssh://git.fedorahosted.org/git/389/adminutil.git 2eb198f..da9e118 master -> master commit changeset:da9e1186eb93d050aa4c49e66e645fed5d2bb699/adminutil Author: Rich Megginson rmeggins@redhat.com Date: Fri Feb 3 15:05:06 2012 -0700
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=788723
2 - 0001-Ticket-281-TLS-not-working-with-latest-openldap.patch 0001-Ticket-281-TLS-not-working-with-latest-openldap.2.patch
To ssh://git.fedorahosted.org/git/389/ds.git f4dc9c4..e7d9bdd master -> master commit changeset:e7d9bdd/389-ds-base Author: Rich Megginson rmeggins@redhat.com Date: Tue Feb 21 20:21:36 2012 -0700 Reviewed by: nkinder (Thanks!) Branch: master Fix Description: The previous fix did not take into account ssl client auth. The way openldap ssl init works now is that you must set all of the ssl parameters before creating the new ctx. Since slapi_ldap_init_ext() does not know if client auth will be used, we have to do all of the ssl init in slapi_ldap_bind. Doing setup_ol_tls_conn() again will free the old TLS context and parameters. It is a little more time consuming in the clientauth case, but is safer and saves time in the other cases. Platforms tested: RHEL6 x86_64, Fedora 16 Flag Day: no Doc impact: no
commit changeset:0771165/389-ds-base Author: Rich Megginson rmeggins@redhat.com Date: Tue Feb 21 20:21:36 2012 -0700 1.2.10 branch
Added initial screened field value.
Metadata Update from @rmeggins: - Issue assigned to rmeggins - Issue set to the milestone: 1.2.10.2
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/281
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.