From: Jamie C. <jca...@we...> - 2008-12-02 05:46:31
|
On 01/Dec/2008 18:11 Paul R. Ganci wrote .. > Jamie Cameron wrote: > > Thanks for those three patches - I see now that Webmin's support for proper > > LDAP over SSL was broken, as it was only able to handle TLS. I will incorporate > > modified versions of your fixed into the next release, with the TLS support > > added back in where appropriate. > > > Hi Jamie, > > Yes that is what I discovered. However, I spent all day Sunday looking > at the three perl modules ldap-client-lib.pl, ldap-server-lib.pl and > ldap-useradmin-lib.pl and discovered that those patches only solve a > small part of the problem (i.e. my specific one) and in the > ldap_server_lib.pl case breaks TLS. > > Please don't use those patches! > > I have a much better solution that covers all the cases (especially for > the ldap-client-lib.pl) which I will provide to you. I can still > generate patches, but they would be against the original distribution > which I accidentally touched. If you want to chance it let me know > otherwise I can make these available in an ftp directory ... your choice > just let me know. I did much more testing including both SSL, TLS and no > Encryption and was much happier with the result. > > Moverover, I was very confused as to why these modules had to have > separate, and very different "ldap_connect" subroutines. In fact it > seemed to me that there was some redundancy in the LDAP Client module, > the LDAP Users and Group module and LDAP server module. The LDAP Client > module and LDAP server module each have a LDAP browser (albeit the > server version is editable whereas the client version is read only). It > seems to me it is those browser functions that require the ldap_connect > code and if they did not exist the LDAP Server module and the LDAP > client module would not need to connect to an LDAP server at all? Of > course the LDAP user and group module has to access a LDAP server so the > ldap_connect function is necessary. > > So if you keep all the module functionality as it is why don't all three > perl modules use the same ldap_connect sub? It seems to me that the > reason is actually due to the different data provided in the Webmin > module config. Let me just go through the LDAP Client, LDAP user and > group and LDAP server module configs. I am only going to compare the > LDAP client configuration data as there is clearly other stuff specific > to the module and of no consequence to the discussion I am trying to > start here. Hopefully there will not be too much line wrapping. > > LDAP Client Module config: > > Configurable options for LDAP Client > LDAP client configuration file [/etc/ldap.conf] > PAM Ldap configuration file (*) Same as LDAP client file [ ] > Root LDAP client password file [/etc/ldap.secret] > > LDAP browser and validation settings > LDAP server hosts (*) From config file ( ) [ ] > LDAP server port (*) From config file ( ) [ ] > Use SSL connection (*) From config file ( ) Yes () No > Login with username (*) From config file ( ) [ ] > Login with password (*) From config file ( ) [ ] > > > LDAP User and Group Module config (only LDAP server connection stuff): > Linux LDAP NSS library config file ( ) None (use settings below) (*) > Use settings from file > > [/etc/ldap.conf ] > LDAP server host (*) From NSS config file ( > ) [ ] > LDAP server port (*) from NSS config file or > default ( ) [ ] > LDAP server uses TLS? (*) Yes ( ) No > > > LDAP Server Module config: > LDAP server hostname ( ) This system (*) > [myldap.server.com] > LDAP server port ( ) Detect Automatically > (*) [636 ] > Login for LDAP server ( ) Detect Automatically (*) > [xxx] > Use TLS encryption with LDAP sever ( ) Detect Automatically (*) Yes ( ) No > > Note that the LDAP client suggests the use of SSL but LDAP user and > group/server suggest TLS. For consistency I would use the LDAP client > form for all three modules and I would change the SSL/TLS check box to > something that looks like this: > > Use Encryption (*) From config file ( ) No ( ) SSL ( )TLS > > By making these modules all use the same form I (or you) could create a > single ldap_connect sub that could be used by all three Webmin modules. > In addition I would not have to guess in the three perl libraries > whether or not TLS or SSL was desired. For example, I assumed if TLS was > "yes" and if the port used was 636 that SSL was desired which requires > the LDAPS protocol. This is probably a safe assumption given that it > would be bad practice to try and use the LDAP port and start_tls on a > port specifically reserved for the LDAPS protocol. Not to mention that > start_tls is generally reserved for port 389, but I don't believe there > is any reason somebody could not decide to move their server to an > arbitrary port. My point here is that by changing the SSL/TLS check box > per my suggestion allows Webmin users to specify any port with any > protocol with or without start_tls. The ldap-client-lib.pl could be used > as the code base for the perl ldap_connect sub. And the subsequent > change would reduce the amount of perl code , simplify the perl and > cover pretty much everything I think one might want to do with LDAP > including making the LDAPI protocol available (albeit that is untested > as of yet). > > I realize implementing my full suggestion is possibly (or maybe just > "is") a big job. However, it seems to me the "Use Encryption" suggestion > might be easy to implement. If someone (you?) could fix the form, then I > can fix the perl libraries. BTW I never found the LDAP Server Module > config to work properly with the "Detect automatically selected". I am > not sure what that really did and I guess would question its usefulness. > Perhaps others have had a different experience which is why I didn't > remove the functionality. In any event I currently have new perl library > code that handles much more than the original did with the current code > and module config base. Just let me know if you want me to generate > patch files or make the actual perl available via ftp. Hi Paul, Those modules were actually originally developed separately, which is why they contain re-implementations of the same functionality. You are absolutely correct that they should be merged, and since I have already been hacking on them I will take a look at this tomorrow. Then I will post a Webmin update that includes the merge and the fixed SSL support, and you can make further patches based on that. Since you seen to know your way around Perl and Webmin, I can give you access to the SVN repository if you like .. that way we can better co-ordinate our efforts. - Jamie |