From: Paul R. G. <ga...@nu...> - 2010-02-28 22:49:52
|
I recently changed over from using LDAP with SSL to LDAP with TLS since SSL is deprecated. I did so and at the same time require a valid client certificate by setting the /etc/openldap/slapd.conf (CentOS 5.4 OS) config option: TLSVerifyClient demand Now that I did this the LDAP Server module is broken. Namely I can not browse the LDAP database because I can not bind to the LDAP server. I tracked the problem to this code in ldap-client-lib.pl lines 275 thru 282: if ($use_ssl == 2 && !$err) { local $mesg; eval { $mesg = $ldap->start_tls(); }; if ($@ || !$mesg || $mesg->code) { $err = &text('ldap_etls', $@ ? $@ : $mesg ? $mesg->error : "Unknown error"); } } The problem is that the $ldap->start_tls() method needs some arguments that are missing but should be available to LDAP Server Module. Namely eval { $mesg = $ldap->start_tls(); }; should be changed to: eval { $mesg = $ldap->start_tls( cafile => '/path/to/cert_auth_bundle', clientcert => '/path/to/client cert', clientkey => '/path/to/client.key', ciphers => 'ciphers' ); }; For the first 3 options the data supplied in the LDAP Server Module -> OpenLDAP Server Configuration -> Encryption Options in the "TLS certificate file", "TLS private key file" and TLS CA certificate file" fields should suffice (I hardwired these parameters into the perl for the time being ... I didn't know how to access them from perl). The addition of the ciphers option would require a minor enhancement to webmin. However, without the ability to pass client certificates/key file to Net::LDAP perl module the LDAP server module is broken for me. Is it a lot of work to fix this problem? -- Paul (ga...@nu...) |
From: Paul R. G. <ga...@nu...> - 2010-02-28 23:19:56
|
On Sun, 2010-02-28 at 15:25 -0700, Paul R. Ganci wrote: > > eval { $mesg = $ldap->start_tls( > cafile => '/path/to/cert_auth_bundle', > clientcert => '/path/to/client cert', > clientkey => '/path/to/client.key', > ciphers => 'ciphers' > ); }; > > For the first 3 options the data supplied in the LDAP Server Module -> > OpenLDAP Server Configuration -> Encryption Options in the "TLS > certificate file", "TLS private key file" and TLS CA certificate file" > fields should suffice (I hardwired these parameters into the perl for > the time being ... I didn't know how to access them from perl). The > addition of the ciphers option would require a minor enhancement to > webmin. However, without the ability to pass client certificates/key > file to Net::LDAP perl module the LDAP server module is broken for me. > Is it a lot of work to fix this problem? Perhaps here is a solution to my issue. I added these lines to ldap-client-lib.pl after line 188: local $cafile = &find_svalue("tls_cacertfile", $conf); local $certfile = &find_svalue("tls_cert", $conf); local $keyfile = &find_svalue("tls_key", $conf); local $ciphers = &find_svalue("tls_ciphers", $conf); Then at line 278 I changed eval { $mesg = $ldap->start_tls(); to eval { $mesg = $ldap->start_tls( cafile => $cafile, clientcert => $certfile, clientkey => $keyfile, ciphers => $ciphers ); Then the proper parameters can be found from the ldap.conf file. -- Paul (ga...@nu...) |
From: Jamie C. <jca...@we...> - 2010-03-01 07:13:07
|
On 28/Feb/2010 15:19 Paul R. Ganci <ga...@nu...> wrote .. > > On Sun, 2010-02-28 at 15:25 -0700, Paul R. Ganci wrote: > > > > eval { $mesg = $ldap->start_tls( > > cafile => '/path/to/cert_auth_bundle', > > clientcert => '/path/to/client cert', > > clientkey => '/path/to/client.key', > > ciphers => 'ciphers' > > ); }; > > > > For the first 3 options the data supplied in the LDAP Server Module -> > > OpenLDAP Server Configuration -> Encryption Options in the "TLS > > certificate file", "TLS private key file" and TLS CA certificate file" > > fields should suffice (I hardwired these parameters into the perl for > > the time being ... I didn't know how to access them from perl). The > > addition of the ciphers option would require a minor enhancement to > > webmin. However, without the ability to pass client certificates/key > > file to Net::LDAP perl module the LDAP server module is broken for me. > > Is it a lot of work to fix this problem? > > Perhaps here is a solution to my issue. I added these lines to > ldap-client-lib.pl after line 188: > > local $cafile = &find_svalue("tls_cacertfile", $conf); > local $certfile = &find_svalue("tls_cert", $conf); > local $keyfile = &find_svalue("tls_key", $conf); > local $ciphers = &find_svalue("tls_ciphers", $conf); > > Then at line 278 I changed > eval { $mesg = $ldap->start_tls(); > > to > > eval { $mesg = $ldap->start_tls( > cafile => $cafile, > clientcert => $certfile, > clientkey => $keyfile, > ciphers => $ciphers > ); > > Then the proper parameters can be found from the ldap.conf file. Thanks! I will incorporate this fix into the next Webmin release.. - Jamie |
From: Paul R. G. <ga...@nu...> - 2010-03-02 02:56:25
|
Hi Jamie, Just a word of warning. You should check what happens when any of the config options tls_cacertfile, tls_cert, tls_key, tls_ciphers is not specified. I did a test on a CentOS 5.4 box with Bundle::Net::LDAP 0.02 where I changed my ldap.conf file removing each option one by one and then checking to see what happened. The Net::LDAP perl module seems to do the correct thing in that it did not segment fault and the behavior seemed to be as expected. However, probably some more thorough checking is needed albeit anyone using TLS will probably have at least tls_cert and tls_key options set and possibly the tls_cacertfile if a self-signed certificate is used. Given that Net::LDAP seems to do the correct thing it is hard to see how this code could break something ... but you should be aware just in case I missed something or some other OS or version of Net::LDAP has different behavior. On Sun, 2010-02-28 at 23:12 -0800, Jamie Cameron wrote: > On 28/Feb/2010 15:19 Paul R. Ganci <ga...@nu...> wrote .. > > > > On Sun, 2010-02-28 at 15:25 -0700, Paul R. Ganci wrote: > > > > > > eval { $mesg = $ldap->start_tls( > > > cafile => '/path/to/cert_auth_bundle', > > > clientcert => '/path/to/client cert', > > > clientkey => '/path/to/client.key', > > > ciphers => 'ciphers' > > > ); }; > > > > > > For the first 3 options the data supplied in the LDAP Server Module -> > > > OpenLDAP Server Configuration -> Encryption Options in the "TLS > > > certificate file", "TLS private key file" and TLS CA certificate file" > > > fields should suffice (I hardwired these parameters into the perl for > > > the time being ... I didn't know how to access them from perl). The > > > addition of the ciphers option would require a minor enhancement to > > > webmin. However, without the ability to pass client certificates/key > > > file to Net::LDAP perl module the LDAP server module is broken for me. > > > Is it a lot of work to fix this problem? > > > > Perhaps here is a solution to my issue. I added these lines to > > ldap-client-lib.pl after line 188: > > > > local $cafile = &find_svalue("tls_cacertfile", $conf); > > local $certfile = &find_svalue("tls_cert", $conf); > > local $keyfile = &find_svalue("tls_key", $conf); > > local $ciphers = &find_svalue("tls_ciphers", $conf); > > > > Then at line 278 I changed > > eval { $mesg = $ldap->start_tls(); > > > > to > > > > eval { $mesg = $ldap->start_tls( > > cafile => $cafile, > > clientcert => $certfile, > > clientkey => $keyfile, > > ciphers => $ciphers > > ); > > > > Then the proper parameters can be found from the ldap.conf file. > > Thanks! I will incorporate this fix into the next Webmin release.. > > - Jamie > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > - > Forwarded by the Webmin mailing list at web...@li... > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-list -- Paul (ga...@nu...) |
From: Jamie C. <jca...@we...> - 2010-03-02 05:28:12
|
Hi Paul, In my code, I only pass those parameters to start_tls if the tls_cert is set .. otherwise, it is just called with no args. - Jamie On 01/Mar/2010 18:56 Paul R. Ganci <ga...@nu...> wrote .. > Hi Jamie, > > Just a word of warning. You should check what happens when any of the > config options tls_cacertfile, tls_cert, tls_key, tls_ciphers is not > specified. I did a test on a CentOS 5.4 box with Bundle::Net::LDAP 0.02 > where I changed my ldap.conf file removing each option one by one and > then checking to see what happened. The Net::LDAP perl module seems to > do the correct thing in that it did not segment fault and the behavior > seemed to be as expected. However, probably some more thorough checking > is needed albeit anyone using TLS will probably have at least tls_cert > and tls_key options set and possibly the tls_cacertfile if a self-signed > certificate is used. Given that Net::LDAP seems to do the correct thing > it is hard to see how this code could break something ... but you should > be aware just in case I missed something or some other OS or version of > Net::LDAP has different behavior. > > > On Sun, 2010-02-28 at 23:12 -0800, Jamie Cameron wrote: > > On 28/Feb/2010 15:19 Paul R. Ganci <ga...@nu...> wrote .. > > > > > > On Sun, 2010-02-28 at 15:25 -0700, Paul R. Ganci wrote: > > > > > > > > eval { $mesg = $ldap->start_tls( > > > > cafile => '/path/to/cert_auth_bundle', > > > > clientcert => '/path/to/client cert', > > > > clientkey => '/path/to/client.key', > > > > ciphers => 'ciphers' > > > > ); }; > > > > > > > > For the first 3 options the data supplied in the LDAP Server Module -> > > > > OpenLDAP Server Configuration -> Encryption Options in the "TLS > > > > certificate file", "TLS private key file" and TLS CA certificate file" > > > > fields should suffice (I hardwired these parameters into the perl for > > > > the time being ... I didn't know how to access them from perl). The > > > > addition of the ciphers option would require a minor enhancement to > > > > webmin. However, without the ability to pass client certificates/key > > > > file to Net::LDAP perl module the LDAP server module is broken for me. > > > > Is it a lot of work to fix this problem? > > > > > > Perhaps here is a solution to my issue. I added these lines to > > > ldap-client-lib.pl after line 188: > > > > > > local $cafile = &find_svalue("tls_cacertfile", $conf); > > > local $certfile = &find_svalue("tls_cert", $conf); > > > local $keyfile = &find_svalue("tls_key", $conf); > > > local $ciphers = &find_svalue("tls_ciphers", $conf); > > > > > > Then at line 278 I changed > > > eval { $mesg = $ldap->start_tls(); > > > > > > to > > > > > > eval { $mesg = $ldap->start_tls( > > > cafile => $cafile, > > > clientcert => $certfile, > > > clientkey => $keyfile, > > > ciphers => $ciphers > > > ); > > > > > > Then the proper parameters can be found from the ldap.conf file. > > > > Thanks! I will incorporate this fix into the next Webmin release.. > > > > - Jamie > > > > ------------------------------------------------------------------------------ > > Download Intel® Parallel Studio Eval > > Try the new software tools for yourself. Speed compiling, find bugs > > proactively, and fine-tune applications for parallel performance. > > See why Intel Parallel Studio got high marks during beta. > > http://p.sf.net/sfu/intel-sw-dev > > - > > Forwarded by the Webmin mailing list at web...@li... > > To remove yourself from this list, go to > > http://lists.sourceforge.net/lists/listinfo/webadmin-list > -- > Paul (ga...@nu...) > > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > - > Forwarded by the Webmin mailing list at web...@li... > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-list |