Bug 1635138 - passthrough plugin configured to do starttls does not work. [rhel-7.5.z]
Summary: passthrough plugin configured to do starttls does not work. [rhel-7.5.z]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.7-Alt
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: mreynolds
QA Contact: RHDS QE
URL:
Whiteboard:
Depends On: 1581737
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-10-02 08:16 UTC by Oneata Mircea Teodor
Modified: 2018-11-06 15:34 UTC (History)
15 users (show)

Fixed In Version: 389-ds-base-1.3.7.5-29.el7_5
Doc Type: Bug Fix
Doc Text:
The Directory Server *Pass-through* plug-in now supports encrypted connections using the *STARTTLS* command Previously, the *Pass-through* plug-in in Directory Server did not support encrypted connections if the encryption was started using the *STARTTLS* command. The problem has been fixed, and the *Pass-through* plug-in now supports connections that use the *STARTTLS* command.
Clone Of: 1581737
Environment:
Last Closed: 2018-11-06 15:33:49 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3507 None None None 2018-11-06 15:34:04 UTC

Description Oneata Mircea Teodor 2018-10-02 08:16:05 UTC
This bug has been copied from bug #1581737 and has been proposed to be backported to 7.5 z-stream (EUS).

Comment 3 Akshay Adhikari 2018-10-23 07:31:51 UTC
Build Tested: 389-ds-base-1.3.7.5-29.el7_5.x86_64
 
Note: Target server is the machine on which SSL is configured and source server is the one on which passthrough plugin is configured.
 
1) Configure passthrough plugin to do starttls:
   dn: cn=Pass Through Authentication,cn=plugins,cn=config
   changetype: modify
   replace: nsslapd-pluginarg0
   nsslapd-pluginarg0:  ldap://<hostname>:<ldap_port>/dc=example,dc=com 3,5,300,3,300,1
 
2) Set nsslapd-pluginEnabled to ON.
 
3) Restart the source server.
 
4) Add a user under the suffix "dc=example,dc=com".
 
5) Add the CA certificate from Target machine to the source.
 
6) Restart the source server.
 
Results:
(Acess log of Target Machine)

[22/Oct/2018:03:32:25.508282338 -0400] conn=5 op=4 fd=64 closed - U1
[22/Oct/2018:03:32:43.939109431 -0400] conn=7 fd=64 slot=64 connection from 172.16.36.10 to 172.16.36.13
[22/Oct/2018:03:32:43.939223971 -0400] conn=7 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="start_tls_plugin"
[22/Oct/2018:03:32:43.939276016 -0400] conn=7 op=0 RESULT err=0 tag=120 nentries=0 etime=0.0000123548
[22/Oct/2018:03:32:43.944077230 -0400] conn=7 TLS1.2 112-bit 3DES
[22/Oct/2018:03:32:43.944640683 -0400] conn=7 op=1 BIND dn="uid=adam1,ou=people,dc=example,dc=com" method=128 version=3
[22/Oct/2018:03:32:43.945132736 -0400] conn=7 op=1 RESULT err=0 tag=97 nentries=0 etime=0.0005372307 dn="uid=adam1,ou=people,dc=example,dc=com"

Comment 5 errata-xmlrpc 2018-11-06 15:33:49 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3507


Note You need to log in before you can comment on or make changes to this bug.