Bug 1635138

Summary: passthrough plugin configured to do starttls does not work. [rhel-7.5.z]
Product: Red Hat Enterprise Linux 7 Reporter: Oneata Mircea Teodor <toneata>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: RHDS QE <ds-qe-bugs>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.7-AltCC: aadhikar, arajendr, gparente, lkrispen, lmanasko, mcorr, mhonek, mreynolds, msauton, nkinder, pasik, rmeggins, spichugi, tbordaz, vashirov
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.7.5-29.el7_5 Doc Type: Bug Fix
Doc Text:
The Directory Server *Pass-through* plug-in now supports encrypted connections using the *STARTTLS* command Previously, the *Pass-through* plug-in in Directory Server did not support encrypted connections if the encryption was started using the *STARTTLS* command. The problem has been fixed, and the *Pass-through* plug-in now supports connections that use the *STARTTLS* command.
 Story Points: ---
Clone Of: 1581737 Environment:
Last Closed: 2018-11-06 15:33:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1581737    
Bug Blocks:    

Description Oneata Mircea Teodor 2018-10-02 08:16:05 UTC 
This bug has been copied from bug #1581737 and has been proposed to be backported to 7.5 z-stream (EUS).
Comment 3 Akshay Adhikari 2018-10-23 07:31:51 UTC 
Build Tested: 389-ds-base-1.3.7.5-29.el7_5.x86_64
 
Note: Target server is the machine on which SSL is configured and source server is the one on which passthrough plugin is configured.
 
1) Configure passthrough plugin to do starttls:
   dn: cn=Pass Through Authentication,cn=plugins,cn=config
   changetype: modify
   replace: nsslapd-pluginarg0
   nsslapd-pluginarg0:  ldap://<hostname>:<ldap_port>/dc=example,dc=com 3,5,300,3,300,1
 
2) Set nsslapd-pluginEnabled to ON.
 
3) Restart the source server.
 
4) Add a user under the suffix "dc=example,dc=com".
 
5) Add the CA certificate from Target machine to the source.
 
6) Restart the source server.
 
Results:
(Acess log of Target Machine)

[22/Oct/2018:03:32:25.508282338 -0400] conn=5 op=4 fd=64 closed - U1
[22/Oct/2018:03:32:43.939109431 -0400] conn=7 fd=64 slot=64 connection from 172.16.36.10 to 172.16.36.13
[22/Oct/2018:03:32:43.939223971 -0400] conn=7 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="start_tls_plugin"
[22/Oct/2018:03:32:43.939276016 -0400] conn=7 op=0 RESULT err=0 tag=120 nentries=0 etime=0.0000123548
[22/Oct/2018:03:32:43.944077230 -0400] conn=7 TLS1.2 112-bit 3DES
[22/Oct/2018:03:32:43.944640683 -0400] conn=7 op=1 BIND dn="uid=adam1,ou=people,dc=example,dc=com" method=128 version=3
[22/Oct/2018:03:32:43.945132736 -0400] conn=7 op=1 RESULT err=0 tag=97 nentries=0 etime=0.0005372307 dn="uid=adam1,ou=people,dc=example,dc=com"
Comment 5 errata-xmlrpc 2018-11-06 15:33:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3507