Bug 693471

Summary: openldap-clients do not work correctly with -Z option
Product: Red Hat Enterprise Linux 5 Reporter: Ondrej Moriš <omoris>
Component: openldapAssignee: Jan Vcelak <jvcelak>
Status: CLOSED DEFERRED QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.6CC: jplans, jvcelak, tsmetana
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 693470 Environment:
Last Closed: 2011-08-17 13:35:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ondrej Moriš 2011-04-04 18:55:49 UTC 
+++ This bug was initially created as a clone of Bug #693470 +++

Description of problem:

When using openldap-clients (e.g. ldapsearch) with -Z option and start_tls fails (due to, for instance, invalid TLS_CACERT), the communication does not proceed and they fail with non-zero exit status.

According to documentation, -Z option means that TLS will be preferred for communication, but not required. In other words, if for some reason TLS cannot be negotiated, then client will try continue with unsecured communication.

Version-Release number of selected component (if applicable):

openldap-2.3.43-12.el5_6.7

How reproducible:

Always.

Steps to Reproduce:

1. Setup server to use TLS.
2. LDAPTLS_CACERT=/ca/cert/does/not/exist ldapsearch -Z 
  
Actual results:

dap_start_tls: Connect error (-11)
	additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
ldap_result: Can't contact LDAP server (-1)
	additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Expected results:

Success.

Additional info:

* see RHTS test for more details (configuration, etc.)
Comment 2 Jan Vcelak 2011-08-17 13:35:05 UTC 
See bug #693470 and #644119. It was discussed with upstream.

If something is configured wrong, it's quite clear that it will
not work and the behavior is undefined. Upstream does not want to put any particular effort into this. It might be resolved later in RHEL-6, but not in RHEL-5.

That is the reason why I'm closing this bug as DEFERRED.