Bug 1635138 - passthrough plugin configured to do starttls does not work. [rhel-7.5.z]
Summary: passthrough plugin configured to do starttls does not work. [rhel-7.5.z]
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.7-Alt
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: mreynolds
QA Contact: RHDS QE
Depends On: 1581737
TreeView+ depends on / blocked
Reported: 2018-10-02 08:16 UTC by Oneata Mircea Teodor
Modified: 2018-11-06 15:34 UTC (History)
15 users (show)

Fixed In Version: 389-ds-base-
Doc Type: Bug Fix
Doc Text:
The Directory Server *Pass-through* plug-in now supports encrypted connections using the *STARTTLS* command Previously, the *Pass-through* plug-in in Directory Server did not support encrypted connections if the encryption was started using the *STARTTLS* command. The problem has been fixed, and the *Pass-through* plug-in now supports connections that use the *STARTTLS* command.
Clone Of: 1581737
Last Closed: 2018-11-06 15:33:49 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3507 None None None 2018-11-06 15:34:04 UTC

Description Oneata Mircea Teodor 2018-10-02 08:16:05 UTC
This bug has been copied from bug #1581737 and has been proposed to be backported to 7.5 z-stream (EUS).

Comment 3 Akshay Adhikari 2018-10-23 07:31:51 UTC
Build Tested: 389-ds-base-
Note: Target server is the machine on which SSL is configured and source server is the one on which passthrough plugin is configured.
1) Configure passthrough plugin to do starttls:
   dn: cn=Pass Through Authentication,cn=plugins,cn=config
   changetype: modify
   replace: nsslapd-pluginarg0
   nsslapd-pluginarg0:  ldap://<hostname>:<ldap_port>/dc=example,dc=com 3,5,300,3,300,1
2) Set nsslapd-pluginEnabled to ON.
3) Restart the source server.
4) Add a user under the suffix "dc=example,dc=com".
5) Add the CA certificate from Target machine to the source.
6) Restart the source server.
(Acess log of Target Machine)

[22/Oct/2018:03:32:25.508282338 -0400] conn=5 op=4 fd=64 closed - U1
[22/Oct/2018:03:32:43.939109431 -0400] conn=7 fd=64 slot=64 connection from to
[22/Oct/2018:03:32:43.939223971 -0400] conn=7 op=0 EXT oid="" name="start_tls_plugin"
[22/Oct/2018:03:32:43.939276016 -0400] conn=7 op=0 RESULT err=0 tag=120 nentries=0 etime=0.0000123548
[22/Oct/2018:03:32:43.944077230 -0400] conn=7 TLS1.2 112-bit 3DES
[22/Oct/2018:03:32:43.944640683 -0400] conn=7 op=1 BIND dn="uid=adam1,ou=people,dc=example,dc=com" method=128 version=3
[22/Oct/2018:03:32:43.945132736 -0400] conn=7 op=1 RESULT err=0 tag=97 nentries=0 etime=0.0005372307 dn="uid=adam1,ou=people,dc=example,dc=com"

Comment 5 errata-xmlrpc 2018-11-06 15:33:49 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.