Description of problem: nsslapd-minssf appears to enforce its encryption requirements on ldapi even though its a unix socket. Version-Release number of selected component (if applicable): Steps to Reproduce: 1. Enable nsslapd-minssf with a value greater than 0. 2. ldapsearch -x -H ldapi://%2fvar%2frun%2fslapd-ID.socket -D "cn=Directory Manager" -w password -b "cn=config" "(objectclass=*)" Actual results: ldap_bind: Server is unwilling to perform (53) additional info: Minimum SSF not met. Expected results: expected ldap return for cn=config Additional info:
How critical is this? Are there any workarounds?
Created attachment 476468 [details] Patch
Comment on attachment 476468 [details] Patch https://bugzilla.redhat.com/attachment.cgi?id=476468&action=diff#a/ldap/servers/slapd/slap.h_sec1 I think you mean "are secure" not "are not secure" Otherwise, looks good.
(In reply to comment #3) > Comment on attachment 476468 [details] > Patch > > https://bugzilla.redhat.com/attachment.cgi?id=476468&action=diff#a/ldap/servers/slapd/slap.h_sec1 > > I think you mean "are secure" not "are not secure" > > Otherwise, looks good. Good catch. I initially made the default localssf "0", so the comment fit. I missed updating the comment when the default was changed to 71. I'll update the comment and provide a new patch.
Created attachment 476469 [details] Revised Patch This is the same as the previous patch aside from updating the incorrect comment that Rich pointed out.
Pushed to master. Thanks to Rich and Noriko for their reviews! Counting objects: 41, done. Delta compression using up to 2 threads. Compressing objects: 100% (20/20), done. Writing objects: 100% (21/21), 2.64 KiB, done. Total 21 (delta 18), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 3c2d82e..b5bee52 master -> master
Can you please add steps to verify? Thanks!
(In reply to comment #7) > Can you please add steps to verify? Thanks! 1) set up the directory server to use ldapi 2) if not already set, set the cn=config nsslapd-localssf to 71 3) set the cn=config nsslapd-minssf to 72 4) restart the directory server 5) try an ldapsearch on the ldapi socket - you should get back an UNWILLING_TO_PERFORM (53) error 6) change cn=config nsslapd-minssf to 70 7) restart the directory server 8) try an ldapsearch on the ldapi socket - it should succeed
1. nsslapd-ldapilisten: on nsslapd-ldapifilepath: /var/run/slapd-testvm.socket 2. nsslapd-localssf: 71 nsslapd-minssf: 72 3. [root@testvm sasl]# ldapsearch -x -H ldapi://%2fvar%2frun%2fslapd-testvm.socket -D "cn=Directory Manager" -w Secret123 -b "cn=config" "(objectclass=*)" ldap_bind: Server is unwilling to perform (53) additional info: Minimum SSF not met. 4. After changing the values as: nsslapd-localssf: 71 nsslapd-minssf: 71 It is working fine, thanks for the steps. Marking as VERIFIED.