Bug 287381
Summary: | rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Alain RICHARD <alain.richard> |
Component: | freeradius | Assignee: | John Dennis <jdennis> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5.0 | CC: | ddumas, dpal, mmarcini, syeghiay, tao |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-10-15 15:12:51 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Alain RICHARD
2007-09-12 09:11:59 UTC
transferred from Thomas Woerner to John Dennis, requested by Steve Grubb. For some reason the freeradius-1.1.3-ldap.patch in our srpm incorrectly changed ldap_int_tls_config() to ldap_set_option(), this reverts the incorrect patch so that we're calling ldap_int_tls_config() like we should be. Should appear in freeradius-1.1.3-1.4 Here is some follow-up information relevant to this issue I just learned. The behaviour of openldap changed around the openldap version 2.1 time frame with respect to this option. It might have previously been settable with ldap_set_option(), but it is no longer. From conversations it seems as if openldap decided this should be a library configurable option set via the ldap configuration file (see man ldap.config(5)) and it shouldn't be a per application option. The fact it's now only settable via ldap_int_tls_config() is the clue, ldap_int*() functions are library "internal" functions (hence the "int" in the name). It's not meant to be called by applications even though it's symbol is visible in the library. Thus when freeradius called ldap_set_option() to change the value of LDAP_OPT_X_TLS_REQUIRE_CERT the library correctly responded it could not be set. The fundamental problem is that rlm_ldap should not be exposing this configuration option because it shouldn't be changing it. But we're between a rock and a hard place on this one. rlm_ldap does in fact expose this, even if it shouldn't, and we can link against the entry point to set it (even if we shouldn't be able to) so it seems like the path of least problems is to allow rlm_ldap to set the option using a back door. Maybe in the current ldap source we can get the option removed from rlm_ldap ... An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0845.html |