[exim-dev] [Bug 1382] ldap_require_cert has no effect

Top Page
Delete this message
Reply to this message
Author: alxgomz
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 1382] ldap_require_cert has no effect
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1382




--- Comment #13 from alxgomz <alxgomz@???> 2013-09-10 23:53:13 ---
Todd,

Thank you for that summary.
In my case, #1 has been fixed by completely commenting out the:

#ifdef LDAP_OPT_X_TLS
...
#endif

This block of code is only used to set the ldap option LDAP_OPT_X_TLS, which is
reported by openldap chief architect as unsed
(http://www.openldap.org/lists/openldap-software/200706/msg00159.html). So
whatever it is intended to do, my guess is that it's just not doing it.
Further more the gist patch sounds like an overkill to me and is really code
duplication as it's setting a valur for "tls_option", which is then used to set
LDAP_OPT_X_TLS. As explained earlier, and based on the post mentioned above,
this is obsolete and is not used anymore by the ldap library.

#2 is indeed fixed by using NULL as the first argument of ldap_set_option(). I
understand this should be a non-global setting but as far as I have tested
it.... it looks like it is.
I have tried to compile the latest release of the openldap library and
recompiled exim against it, to make sure this was not due to some distro
specific patch. It isn't, I had the very same issue with the "vanilla" library.
This issue can be extended to the ldap_cipher_suite parameter, which is not set
properly unless set globally. I haven't tested further ldap_tls settings.

I trust you on #3.

Implementing fix #1 (by comenting out the block of code) and #2, allowed me to
have the desired bahaviours for both ldaps:/// and ldaps:/// urls.

Just few more remarks though:

a) ldap_start_tls is set and ldap_require_cert isn't, then exim applies the
default of the ldap library instead of what's currently configured in
ldap.conf. While slightly unexpected I think this matches what's in the
documentation for ldap_require_cert:

...Although Exim does not set a default, the LDAP library probably defaults to
hard/demand.

b) In #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT ... #endif, the cert_option variable
is initialised with LDAP_OPT_X_TLS_NEVER. This means that if someone set
ldap_require_cert to an non-recognised value it weakest level of verification
is applied, allowing the system to talk to a non authenticated server.

c) when using ldaps:/// url together with ldap_start_tls (which makes no sense,
but...), the lookups fails. One would probably expect that when ldaps:/// is
used, eldap_start_tls is skipped or forcibly set to NULL.

Thanks, Todd and Phil for your time!


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email