800787 – TLS connection to AD no longer works

Bug 800787 - TLS connection to AD no longer works

Summary: TLS connection to AD no longer works

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	openldap
Sub Component:
Version:	16
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Jan Vcelak
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-03-07 09:14 UTC by Martin Kosek
Modified:	2013-03-04 01:29 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2012-03-08 12:40:51 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Martin Kosek 2012-03-07 09:14:07 UTC

Description of problem:
My Python AD searches stopped working when I updated openldap from openldap-2.4.26-5.fc16.x86_64 to openldap-2.4.26-6.fc16.x86_64. Now, it always returns this error:

ldap.CONNECT_ERROR: {'info': "TLS error -8179:Peer's Certificate issuer is not recognized.", 'desc': 'Connect error'}

When I downgraded back to openldap-2.4.26-5.fc16.x86_64, the TLS connection worked OK again.

Version-Release number of selected component (if applicable):
openldap-2.4.26-6.fc16.x86_64

How reproducible:
I used this test script using python-ldap wrapper:

# cat /tmp/testtls.sh 
import ldap
ad_conn = ldap.initialize('ldap://dhcp201-112.englab.pnq.redhat.com')
ad_conn.set_option(ldap.OPT_DEBUG_LEVEL, 255)
ad_conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
ad_conn.set_option(ldap.OPT_X_TLS_CACERTFILE, '/home/mkosek/WinCert2.cer')
ad_conn.start_tls_s()

# python /tmp/testtls.sh
Traceback (most recent call last):
  File "/tmp/testtls.sh", line 6, in <module>
    ad_conn.start_tls_s()
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 526, in start_tls_s
    return self._ldap_call(self._l.start_tls_s)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 96, in _ldap_call
    result = func(*args,**kwargs)
ldap.CONNECT_ERROR: {'info': "TLS error -8179:Peer's Certificate issuer is not recognized.", 'desc': 'Connect error'}

Steps to Reproduce:
1. Prepare an LDAP server with support of TLS connection, prepare its certificate (I used Active Directory server)
2. Prepare the script below which will test the TLS connection with provided certificate and server address
3. Run the script
  
Actual results:
TLS connection failed with the TLS error above

Expected results:
TLS connection succeeds, no error is returned

Comment 1 Rich Megginson 2012-03-07 15:54:08 UTC

The way openldap TLS initialization works in openldap-2.4.26-6 and later is this:

When you have an LDAP *ld or an ldap handle created by ldap.initialize, and you call ldap_set_option to set options in this handle, they are stored in the options area of the handle, but not in the TLS options area of the handle, until you call set_option(ldap.OPT_X_TLS_NEWCTX, 0).  This causes the creation of the new TLS context and writes the saved TLS option settings into the new TLS context.  If you then attempt to set another TLS option in the same ldap handle, the changes will again be stored in the ldap option area, but not in the TLS context.

Comment 2 Martin Kosek 2012-03-08 12:40:51 UTC

Thanks for explanation Rich. When I changed the order of operations in our TLS initialization procedure this way:

ad_conn = ldap.initialize('ldap://dhcp201-112.englab.pnq.redhat.com')
ad_conn.set_option(ldap.OPT_X_TLS_CACERTFILE, '/home/mkosek/WinCert2.cer')
ad_conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
ad_conn.start_tls_s()

it worked. Therefore I think we can close this bug as NOTABUG.

Note You need to log in before you can comment on or make changes to this bug.