Bug 1581737

Summary: passthrough plugin configured to do starttls does not work.
Product: Red Hat Enterprise Linux 7 Reporter: German Parente <gparente>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: RHDS QE <ds-qe-bugs>
Severity: urgent Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: urgent    
Version: 7.7-AltCC: aadhikar, arajendr, gparente, mcorr, mreynolds, msauton, nkinder, pasik, rmeggins
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.8.4-1.el7 Doc Type: Bug Fix
Doc Text:
The Directory Server *Pass-through* plug-in now supports encrypted connections using the *STARTTLS* command Previously, the *Pass-through* plug-in in Directory Server did not support encrypted connections if the encryption was started using the *STARTTLS* command. The problem has been fixed, and the *Pass-through* plug-in now supports connections that use the *STARTTLS* command.
 Story Points: ---
Clone Of:
: 1635138 (view as bug list) Environment:
Last Closed: 2018-10-30 10:13:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1635138    

Description German Parente 2018-05-23 14:13:15 UTC 
Description of problem:

I have configured passthrough plugin to do Starttls:


nsslapd-pluginarg0: ldap://nslcd.parente.local:1389/dc=parente,dc=local 3,5,30
 0,3,300,1


I have added plugin debug logs. To have that login, I had to define this in source code and re-build:

#define    PASSTHRU_VERBOSE_LOGGING 

Then I see clearly:

passthru-plugin - PTA server host: "nslcd.parente.local", port: 1389, secure: 2, maxconnections: 3, maxconcurrency: 5, timeout: 300, ldversion: 3, connlifetime: 300

secure: 2 means starttls:


        if (starttls) {
            srvr->ptsrvr_secure = 2;
        }


bind as:

ldapsearch -D "uid=omc,ou=people,dc=parente,dc=local" -w secret12 -b "dc=parente,dc=local" -s base


But in the access logs, we see clearly:

[23/May/2018:10:07:20.883924603 -0400] conn=1 fd=64 slot=64 connection from 10.10.178.222 to 10.10.178.222
[23/May/2018:10:07:20.884685945 -0400] conn=1 op=0 BIND dn="uid=omc,ou=people,dc=parente,dc=local" method=128 version=3
[23/May/2018:10:07:20.886823710 -0400] conn=1 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0002572394 dn="uid=omc,ou=people,dc=parente,dc=local"

No startls.

Now, in the code, when parsing the url:

    /* use secure setting from url if none given */
    if (!secure && ludp) {
        if (secureurl) {
            secure = SLAPI_LDAP_INIT_FLAG_SSL;
        } else if (0 /* starttls option - not supported yet in LDAP URLs */) {
            secure = SLAPI_LDAP_INIT_FLAG_startTLS;
        }
    }

So, I wonder if the problem is not that the starttls is not supported in ldap urls but ... in the passthrough plugin we cannot but specify ldapurl



Version-Release number of selected component (if applicable):

389-ds-base-1.3.7.5-21.el7_5
Comment 4 mreynolds 2018-06-04 16:24:00 UTC 
Upstream ticket:
https://pagure.io/389-ds-base/issue/49748
Comment 5 mreynolds 2018-06-05 15:46:17 UTC 
Fixed upstream
Comment 11 Akshay Adhikari 2018-08-10 11:04:13 UTC 
Build Tested: 389-ds-base-1.3.8.4-9.el7.x86_64
 
Note: Target server is the machine on which SSL is configured and source server is the one on which passthrough plugin is configured.
 
1) Configure passthrough plugin to do starttls:
   dn: cn=Pass Through Authentication,cn=plugins,cn=config
   changetype: modify
   replace: nsslapd-pluginarg0
   nsslapd-pluginarg0:  ldap://<hostname>:<ldap_port>/dc=example,dc=com 3,5,300,3,300,1
 
2) Set nsslapd-pluginEnabled to ON.
 
3) Restart the source server.
 
4) Add a user under the suffix "dc=example,dc=com".
 
5) Add the CA certificate from Target machine to the source.
 
6) Restart the source server.
 
Results:
(Acess log of Target Machine)

[07/Aug/2018:19:12:40.815180192 +051800] conn=53 fd=64 slot=64 connection from 10.19.34.94 to 10.65.206.155
[07/Aug/2018:19:12:40.815427962 +051800] conn=53 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="start_tls_plugin"
[07/Aug/2018:19:12:40.815608583 +051800] conn=53 op=0 RESULT err=0 tag=120 nentries=0 etime=0.0000319538
[07/Aug/2018:19:12:41.335641674 +051800] conn=53 TLS1.2 256-bit AES-GCM
[07/Aug/2018:19:12:42.169458011 +051800] conn=53 op=1 BIND dn="uid=adam,ou=people,dc=example,dc=com" method=128 version=3
[07/Aug/2018:19:12:42.170164748 +051800] conn=53 op=1 RESULT err=0 tag=97 nentries=0 etime=1.0101292500 dn="uid=adam,ou=people,dc=example,dc=com"
Comment 15 errata-xmlrpc 2018-10-30 10:13:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3127