Bug 670616 - nsslapd-minssf vs ldapi
Summary: nsslapd-minssf vs ldapi
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: 389
Classification: Retired
Component: Security - General
Version: 1.2.7
Hardware: Unspecified
OS: Linux
high
medium
Target Milestone: ---
Assignee: Nathan Kinder
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Depends On:
Blocks: 639035 389_1.2.8
TreeView+ depends on / blocked
 
Reported: 2011-01-18 20:21 UTC by Jr Aquino
Modified: 2015-12-07 16:30 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-12-07 16:30:54 UTC


Attachments (Terms of Use)
Patch (16.49 KB, patch)
2011-02-01 19:33 UTC, Nathan Kinder
rmeggins: review+
Details | Diff
Revised Patch (16.49 KB, patch)
2011-02-01 19:55 UTC, Nathan Kinder
nhosoi: review+
Details | Diff

Description Jr Aquino 2011-01-18 20:21:50 UTC
Description of problem:
nsslapd-minssf appears to enforce its encryption requirements on ldapi even though its a unix socket.

Version-Release number of selected component (if applicable):

Steps to Reproduce:
1. Enable nsslapd-minssf with a value greater than 0.
2. ldapsearch -x -H ldapi://%2fvar%2frun%2fslapd-ID.socket -D "cn=Directory Manager" -w password -b "cn=config" "(objectclass=*)"

Actual results:
ldap_bind: Server is unwilling to perform (53)
	additional info: Minimum SSF not met.


Expected results:
expected ldap return for cn=config

Additional info:

Comment 1 Rich Megginson 2011-01-24 21:50:04 UTC
How critical is this?  Are there any workarounds?

Comment 2 Nathan Kinder 2011-02-01 19:33:35 UTC
Created attachment 476468 [details]
Patch

Comment 3 Rich Megginson 2011-02-01 19:48:23 UTC
Comment on attachment 476468 [details]
Patch

https://bugzilla.redhat.com/attachment.cgi?id=476468&action=diff#a/ldap/servers/slapd/slap.h_sec1

I think you mean "are secure" not "are not secure"

Otherwise, looks good.

Comment 4 Nathan Kinder 2011-02-01 19:53:27 UTC
(In reply to comment #3)
> Comment on attachment 476468 [details]
> Patch
> 
> https://bugzilla.redhat.com/attachment.cgi?id=476468&action=diff#a/ldap/servers/slapd/slap.h_sec1
> 
> I think you mean "are secure" not "are not secure"
> 
> Otherwise, looks good.

Good catch.  I initially made the default localssf "0", so the comment fit.  I missed updating the comment when the default was changed to 71.  I'll update the comment and provide a new patch.

Comment 5 Nathan Kinder 2011-02-01 19:55:08 UTC
Created attachment 476469 [details]
Revised Patch

This is the same as the previous patch aside from updating the incorrect comment that Rich pointed out.

Comment 6 Nathan Kinder 2011-02-01 20:38:01 UTC
Pushed to master.  Thanks to Rich and Noriko for their reviews!

Counting objects: 41, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (20/20), done.
Writing objects: 100% (21/21), 2.64 KiB, done.
Total 21 (delta 18), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   3c2d82e..b5bee52  master -> master

Comment 7 Jenny Severance 2011-05-16 17:31:04 UTC
Can you please add steps to verify? Thanks!

Comment 8 Rich Megginson 2011-05-16 17:38:14 UTC
(In reply to comment #7)
> Can you please add steps to verify? Thanks!

1) set up the directory server to use ldapi
2) if not already set, set the cn=config nsslapd-localssf to 71
3) set the cn=config nsslapd-minssf to 72
4) restart the directory server
5) try an ldapsearch on the ldapi socket - you should get back an UNWILLING_TO_PERFORM (53) error
6) change cn=config nsslapd-minssf to 70
7) restart the directory server
8) try an ldapsearch on the ldapi socket - it should succeed

Comment 9 Amita Sharma 2011-05-30 11:52:22 UTC
1. nsslapd-ldapilisten: on
   nsslapd-ldapifilepath: /var/run/slapd-testvm.socket

2. nsslapd-localssf: 71
   nsslapd-minssf: 72

3. [root@testvm sasl]# ldapsearch -x -H ldapi://%2fvar%2frun%2fslapd-testvm.socket -D "cn=Directory Manager" -w Secret123 -b "cn=config" "(objectclass=*)"
ldap_bind: Server is unwilling to perform (53)
	additional info: Minimum SSF not met.

4. After changing the values as:
nsslapd-localssf: 71
   nsslapd-minssf: 71

It is working fine, thanks for the steps.
Marking as VERIFIED.


Note You need to log in before you can comment on or make changes to this bug.