Bug 1048475

Summary: TLS does not work for ldap, incorrect TLS & Debug attribute setting in rlm_ldap
Product: Red Hat Enterprise Linux 7 Reporter: John Dennis <jdennis>
Component: freeradiusAssignee: John Dennis <jdennis>
Status: CLOSED CURRENTRELEASE QA Contact: David Spurek <dspurek>
Severity: medium Docs Contact:
Priority: high    
Version: 7.0CC: dpal, dspurek, ebenes, jdennis, lemenkov, mvadkert
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: freeradius-3.0.1-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1048474 Environment:
Last Closed: 2014-06-13 12:56:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1048474    
Bug Blocks:    

Description John Dennis 2014-01-04 13:56:16 UTC 
+++ This bug was initially created as a clone of Bug #1048474 +++

rlm_ldap cannot successfully establish TLS connections with an OpenLDAP server. This is because the TLS connection attributes are not set when the OpenLDAP client library tries to make a connection. The failing connection causes the radius server to fail to initialize and it immediately exits.

The problem is related to use of LDAP_OPT_X_TLS_NEWCTX to establish a per connection TLS context. Apparently LDAP_OPT_X_TLS_NEWCTX has to be called *after* calling ldap_set_option() to set the TLS attributes, if it's called prior to setting the attributes (as is the current code) then the TLS attributes are not copied into the new TLS context.

Not sure, but this might only be a problem for the MozNSS module as opposed to the OpenSSL module (OpenLDAP can be built with different crypto implementations). Currently Red Hat is the only distribution that deploys OpenLDAP with MozNSS which might explain why this problem was not seen upstream. I want to investigate further on this.

Moving LDAP_OPT_X_TLS_NEWCTX to after setting the TLS attributes fixes the connection failures.

During debugging it was also discovered that the way rlm_ldap sets the LDAP debug flag is also incorrect. The debug flag needs to be set on the global context, not the per connection context. As currently implemented one cannot get the ldap library to emit debug information, this also needs fixing.
Comment 5 Ludek Smid 2014-06-13 12:56:43 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.