Bug 1542645

Summary: Outgoing secure connection is failing with recent OpenLDAP
Product: Red Hat Enterprise Linux 7 Reporter: thierry bordaz <tbordaz>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 7.5CC: enewland, nkinder, rmeggins, spichugi
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.7.5-16 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 14:25:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description thierry bordaz 2018-02-06 17:49:33 UTC 
Description of problem:
Due to a change in the OpenLDAP client libraries (switching from NSS to OpenSSL), the TLS options LDAP_OPT_X_TLS_CACERTFILE, LDAP_OPT_X_TLS_KEYFILE, LDAP_OPT_X_TLS_CERTFILE, need to specify path to PEM files.

Those PEM files are extracted from the key/certs from the NSS db in /etc/dirsrv/slapd-xxx

Those files are extracted if the option (under 'cn=config') nsslapd-extract-pemfiles is set to 'on'.

The default value is 'off', that prevent secure outgoing connection.


Version-Release number of selected component (if applicable):
The bug exists in RHEL 7.5 with recent version of openldap


How reproducible:
Described in https://bugzilla.redhat.com/show_bug.cgi?id=1541108#c5
Note this is using startTLS.


Steps to Reproduce:
1.
2.
3.

Actual results:
ipa-replica-install may succeeds but later we can see those failure in error logs (for each outgoing failure)
ERR - slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error)

If install fails, creating an ipa user on the replica also fails because DNA plugin can not connect to obtain a range


Expected results:

Should not fail


Additional info:
Comment 3 thierry bordaz 2018-02-07 10:18:19 UTC 
Tests of internal build was successful. ipa-server-install succeeded.

At the end of the test case (after ipa-server-install) https://bugzilla.redhat.com/show_bug.cgi?id=1541108#c5, IPA does not work !
Adding a user, on the replica, fails because it can not lookup FQDN of the master. Adding the host/ip into /etc/hosts on the replica side fixes the issue and IPA is working fine (add a user on both Master, Replica).

IMHO the failure of IPA is likely because missing some options in the test case rather than DS failure to connect.


Next, will test the same testcase with the official build 389-ds-base-1.3.7.5-16
Comment 4 thierry bordaz 2018-02-07 12:34:42 UTC 
Test with 389-ds-base-1.3.7.5-16 / ipa-server-4.5.4-9 was successful.
ipa-server-install (DL=0) + ipa-replica-install + basic ipa tests (user,group) succeeded.
Comment 5 Simon Pichugin 2018-02-23 12:12:02 UTC 
[root@qeos-6 ds]# py.test -s -v dirsrvtests/tests/suites/replication/tls_client_auth_repl_test.py
======================= test session starts =======================
platform linux -- Python 3.6.3, pytest-3.4.1, py-1.5.2, pluggy-0.6.0 -- /opt/rh/rh-python36/root/usr/bin/python3
cachedir: .pytest_cache
metadata: {'Python': '3.6.3', 'Platform': 'Linux-3.10.0-855.el7.x86_64-x86_64-with-redhat-7.5-Maipo', 'Packages': {'pytest': '3.4.1', 'py': '1.5.2', 'pluggy': '0.6.0'}, 'Plugins': {'metadata': '1.6.0', 'html': '1.16.1'}}
389-ds-base: 1.3.7.5-18.el7
nss: 3.34.0-4.el7
nspr: 4.17.0-1.el7
openldap: 2.4.44-13.el7
svrcore: 4.1.3-2.el7

rootdir: /mnt/tests/rhds/tests/upstream/ds, inifile:
plugins: metadata-1.6.0, html-1.16.1
collected 1 item

dirsrvtests/tests/suites/replication/tls_client_auth_repl_test.py::test_extract_pemfiles
INFO:dirsrvtests.tests.suites.replication.tls_client_auth_repl_test:Default value of nsslapd-extract-pemfiles = on (should be 'on')
INFO:dirsrvtests.tests.suites.replication.tls_client_auth_repl_test:Set nsslapd-extract-pemfiles = 'off' and check replication works)
INFO:lib389.replica:SUCCESS: Replication from ldap://qeos-6.lab.eng.rdu2.redhat.com:39001 to ldap://qeos-6.lab.eng.rdu2.redhat.com:39002 is working
INFO:lib389.replica:SUCCESS: Replication from ldap://qeos-6.lab.eng.rdu2.redhat.com:39002 to ldap://qeos-6.lab.eng.rdu2.redhat.com:39001 is working
INFO:dirsrvtests.tests.suites.replication.tls_client_auth_repl_test:Set nsslapd-extract-pemfiles = 'on' and check replication works)
INFO:lib389.replica:SUCCESS: Replication from ldap://qeos-6.lab.eng.rdu2.redhat.com:39001 to ldap://qeos-6.lab.eng.rdu2.redhat.com:39002 is working
INFO:lib389.replica:SUCCESS: Replication from ldap://qeos-6.lab.eng.rdu2.redhat.com:39002 to ldap://qeos-6.lab.eng.rdu2.redhat.com:39001 is working
PASSED

======================= 1 passed in 33.50 seconds =======================

Marking as verified.
Comment 8 errata-xmlrpc 2018-04-10 14:25:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0811