1542645 – Outgoing secure connection is failing with recent OpenLDAP

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1542645 - Outgoing secure connection is failing with recent OpenLDAP

Summary: Outgoing secure connection is failing with recent OpenLDAP

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	389-ds-base
Sub Component:
Version:	7.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	mreynolds
QA Contact:	Viktor Ashirov
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-02-06 17:49 UTC by thierry bordaz
Modified:	2020-09-13 22:07 UTC (History)
CC List:	4 users (show)
Fixed In Version:	389-ds-base-1.3.7.5-16
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-10 14:25:12 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	389ds 389-ds-base issues 2619	0	None	closed	nsslapd-extract-pemfiles should be enabled by default as openldap is moving to openssl	2021-02-03 10:45:30 UTC
Red Hat Product Errata	RHBA-2018:0811	0	None	None	None	2018-04-10 14:25:20 UTC

Description thierry bordaz 2018-02-06 17:49:33 UTC

Description of problem:
Due to a change in the OpenLDAP client libraries (switching from NSS to OpenSSL), the TLS options LDAP_OPT_X_TLS_CACERTFILE, LDAP_OPT_X_TLS_KEYFILE, LDAP_OPT_X_TLS_CERTFILE, need to specify path to PEM files.

Those PEM files are extracted from the key/certs from the NSS db in /etc/dirsrv/slapd-xxx

Those files are extracted if the option (under 'cn=config') nsslapd-extract-pemfiles is set to 'on'.

The default value is 'off', that prevent secure outgoing connection.


Version-Release number of selected component (if applicable):
The bug exists in RHEL 7.5 with recent version of openldap


How reproducible:
Described in https://bugzilla.redhat.com/show_bug.cgi?id=1541108#c5
Note this is using startTLS.


Steps to Reproduce:
1.
2.
3.

Actual results:
ipa-replica-install may succeeds but later we can see those failure in error logs (for each outgoing failure)
ERR - slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error)

If install fails, creating an ipa user on the replica also fails because DNA plugin can not connect to obtain a range


Expected results:

Should not fail


Additional info:

Comment 3 thierry bordaz 2018-02-07 10:18:19 UTC

Tests of internal build was successful. ipa-server-install succeeded.

At the end of the test case (after ipa-server-install) https://bugzilla.redhat.com/show_bug.cgi?id=1541108#c5, IPA does not work !
Adding a user, on the replica, fails because it can not lookup FQDN of the master. Adding the host/ip into /etc/hosts on the replica side fixes the issue and IPA is working fine (add a user on both Master, Replica).

IMHO the failure of IPA is likely because missing some options in the test case rather than DS failure to connect.


Next, will test the same testcase with the official build 389-ds-base-1.3.7.5-16

Comment 4 thierry bordaz 2018-02-07 12:34:42 UTC

Test with 389-ds-base-1.3.7.5-16 / ipa-server-4.5.4-9 was successful.
ipa-server-install (DL=0) + ipa-replica-install + basic ipa tests (user,group) succeeded.

Comment 5 Simon Pichugin 2018-02-23 12:12:02 UTC

[root@qeos-6 ds]# py.test -s -v dirsrvtests/tests/suites/replication/tls_client_auth_repl_test.py
======================= test session starts =======================
platform linux -- Python 3.6.3, pytest-3.4.1, py-1.5.2, pluggy-0.6.0 -- /opt/rh/rh-python36/root/usr/bin/python3
cachedir: .pytest_cache
metadata: {'Python': '3.6.3', 'Platform': 'Linux-3.10.0-855.el7.x86_64-x86_64-with-redhat-7.5-Maipo', 'Packages': {'pytest': '3.4.1', 'py': '1.5.2', 'pluggy': '0.6.0'}, 'Plugins': {'metadata': '1.6.0', 'html': '1.16.1'}}
389-ds-base: 1.3.7.5-18.el7
nss: 3.34.0-4.el7
nspr: 4.17.0-1.el7
openldap: 2.4.44-13.el7
svrcore: 4.1.3-2.el7

rootdir: /mnt/tests/rhds/tests/upstream/ds, inifile:
plugins: metadata-1.6.0, html-1.16.1
collected 1 item

dirsrvtests/tests/suites/replication/tls_client_auth_repl_test.py::test_extract_pemfiles
INFO:dirsrvtests.tests.suites.replication.tls_client_auth_repl_test:Default value of nsslapd-extract-pemfiles = on (should be 'on')
INFO:dirsrvtests.tests.suites.replication.tls_client_auth_repl_test:Set nsslapd-extract-pemfiles = 'off' and check replication works)
INFO:lib389.replica:SUCCESS: Replication from ldap://qeos-6.lab.eng.rdu2.redhat.com:39001 to ldap://qeos-6.lab.eng.rdu2.redhat.com:39002 is working
INFO:lib389.replica:SUCCESS: Replication from ldap://qeos-6.lab.eng.rdu2.redhat.com:39002 to ldap://qeos-6.lab.eng.rdu2.redhat.com:39001 is working
INFO:dirsrvtests.tests.suites.replication.tls_client_auth_repl_test:Set nsslapd-extract-pemfiles = 'on' and check replication works)
INFO:lib389.replica:SUCCESS: Replication from ldap://qeos-6.lab.eng.rdu2.redhat.com:39001 to ldap://qeos-6.lab.eng.rdu2.redhat.com:39002 is working
INFO:lib389.replica:SUCCESS: Replication from ldap://qeos-6.lab.eng.rdu2.redhat.com:39002 to ldap://qeos-6.lab.eng.rdu2.redhat.com:39001 is working
PASSED

======================= 1 passed in 33.50 seconds =======================

Marking as verified.

Comment 8 errata-xmlrpc 2018-04-10 14:25:12 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0811

Note You need to log in before you can comment on or make changes to this bug.