Bug 633803

Summary: passwordisglobalpolicy attribute brakes TLS chaining
Product: [Retired] 389 Reporter: Jacek N <jacek.nykis>
Component: Server - PluginsAssignee: Rich Megginson <rmeggins>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: low    
Version: 1.2.6CC: edewata, nhosoi, nkinder, rmeggins
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 733434 (view as bug list) Environment:
Last Closed: 2015-12-10 18:38:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 690318, 708096, 733434    
Description Flags
0001-Bug-633803-passwordisglobalpolicy-attribute-brakes-T.patch nkinder: review+

Description Jacek N 2010-09-14 12:58:44 UTC
Description of problem:
Setting passwordisglobalpolicy attribute to "on" on slave brakes TLS chaining to master server.

Version-Release number of selected component (if applicable):

How reproducible:
Every time

Steps to Reproduce:
1. Setup environemnt this way:
Client -----> Slave -----> Master
* secure binds enforced on slave and master
* client has no direct access to master
* slave is set to chain updates to master on port 389 with nsusestarttls attribute set to on
* set passwordisglobalpolicy attribute to on

2. Run search on client:
ldapsearch -x -ZZ -h <slave> -D "xxxxx" -y passwordfile  -b xxxxxx
ldap_bind: Confidentiality required (13)
        additional info: Operation requires a secure connection

Actual results:
1. Error message on client:
ldap_bind: Confidentiality required (13)
        additional info: Operation requires a secure connection

2. In logs on Master server:
[14/Sep/2010:12:30:14 +0000] conn=102 op=17 BIND dn="xxxxx" method=128 version=3
[14/Sep/2010:12:30:14 +0000] conn=102 op=17 RESULT err=13 tag=97 nentries=0 etime=0

Expected results:
Search should be working fine regardless of passwordisglobalpolicy value.

Additional info:
Mailing-list thread: http://www.spinics.net/lists/fedora-directory/msg12044.html

We know about 3 workarounds so far:
1. Disable secure binds on master (http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/configuring-special-binds.html#requiring-secure-binds)
2. Set nsusestarttls to off and replace "ldap" with "ldaps" in nsfarmserverurl attribute
3. Set passwordisglobalpolicy to off

Comment 3 Rich Megginson 2011-08-22 19:30:43 UTC
Created attachment 519337 [details]

Comment 4 Rich Megginson 2011-08-22 20:04:17 UTC
To ssh://git.fedorahosted.org/git/389/ds.git
   116f683..e1c9a73  master -> master
commit e1c9a73a8ec2a86c5a2f6c7e3b4cb39046475666
Author: Rich Megginson <rmeggins@redhat.com>
Date:   Mon Aug 22 13:18:53 2011 -0600
    Reviewed by: nkinder (Thanks!)
    Branch: master
    Fix Description: If not binding in cb_get_connection, we need to explicitly
    do the start_tls.  The start_tls and mechanism settings were not being
    applied to the bind_pool connections.
    I tried setting passwordIsGlobalPolicy on and off.  That did not seem to make
    a difference.  I believe the problem is caused by the
    nsslapd-require-secure-binds attribute set to "on".
    Platforms tested: RHEL6 x86_64
    Flag Day: no
    Doc impact: no