Re: [exim] Exim 4.82 LDAPS problems

Top Page
Delete this message
Reply to this message
Author: Todd Lyons
Date:  
To: Heiko Schlichting
CC: exim-users
Subject: Re: [exim] Exim 4.82 LDAPS problems
On Tue, Oct 29, 2013 at 1:03 PM, Heiko Schlichting
<exim-users@???> wrote:
>
> Unfortunately I had some obscure problems using LDAPS. A configuration
> working with exim 4.80.1 without problems does hang forever after a client
> send "DATA" via socket. The client does not even receive


The bugfix that was committed was an oscure problem using LDAPS with
self-signed certs. I can see where it is not called on the first
session, but it is called on the second one.

> in debug mode. The problem does NOT occur if I use "exim -bs" instead of
> "exim -bd". Strange. Due to some unusual ldaps messages I assume it is
> caused by LDAPS.


Agreed.

Here is the applicable bugfix description:
TL/11 Bugzilla 1382 - Option ldap_require_cert overrides start_tls
      ldap library initialization, allowing self-signed CA's to be
      used. Also properly sets require_cert option later in code by
      using NULL (global ldap config) instead of ldap handle (per
      session). Bug diagnosis and testing by alxgomz.


> I also noticed that
>
>     exim -be '${lookup ldap{... ldaps:///...}}'

>
> hangs forever which works with exim 4.80.1. Using "exim -be" interactive
> I can specify ldaps queries and get the correct result but exim hangs when
> "Ctrl-D" is given. LDAP instead of LDAPS seems to work but I had to query
> a different ldap server for a quick test so treat with caution.
>
> Here is the relevant part of exim -be '${lookup ldap{... ldaps:///...}}'
> using exim 4.80.1:
>
>     ldap_initialize with URL ldaps://ldap.example.org:636/
>     initialized for LDAP (v3) server ldap.example.org:636
>     LDAP_OPT_X_TLS_HARD set


The above means that the cert cannot be self-signed. Is that correct
for your case?

>     binding with user=cn=ldapadmin,dc=example.org password=secret
>     Start search
>     ldap_result loop
>     LDAP entry loop
>     LDAP attr loop uid:user
>     search ended by ldap_result yielding 101
>     ldap_parse_result: 0
>     ldap_parse_result yielded 0: Success
>     LDAP search: returning: user
>     lookup yielded: user
>     search_tidyup called
>     unbind LDAP connection to ldap.example.org:636
>     >>>>>>>>>>>>>>>> Exim pid=679180 terminating with rc=0 >>>>>>>>>>>>>>>>

>
> and exim 4.82:
>
>     ldap_initialize with URL ldaps://ldap.example.org:636/
>     initialized for LDAP (v3) server ldap.example.org:636
>     Require certificate overrides LDAP_OPT_X_TLS option (0)


This line tells me that Exim found the option ldap_require_cert and
used its value. I'll have to familiarize myself with this code and
its logic again. What do you normally have in your .ldaprc for the
TLS_REQCERT setting, if anything? What does the entirety of your ldap
config look like?

Here is the bugfix description:
TL/11 Bugzilla 1382 - Option ldap_require_cert overrides start_tls
      ldap library initialization, allowing self-signed CA's to be
      used. Also properly sets require_cert option later in code by
      using NULL (global ldap config) instead of ldap handle (per
      session). Bug diagnosis and testing by alxgomz.


>     binding with user=cn=ldapadmin,dc=example.org password=secret
>     failed to bind the LDAP connection to server ldap.example.org:636 - ldap_bind() returned -1
>     perform_ldap_search: ldap URL = "ldaps:///o=ORG?uid?sub?(&(uid=user)(objectClass=Person))" server=localhost port=8636 sizelimit=0 timelimit=0 tcplimit=2
>     after ldap_url_parse: host=localhost port=8636
>     ldap_initialize with URL ldaps://localhost:8636/
>     initialized for LDAP (v3) server localhost:8636
>     Require certificate overrides LDAP_OPT_X_TLS option (0)


And this one works properly. I'll check to see if there is some logic
that later gets done separately if the URI is ldaps:/// and the port
is 636.

>     binding with user=cn=ldapadmin,dc=example.org password=secret
>     Start search
>     ldap_result loop
>     LDAP entry loop
>     LDAP attr loop uid:user
>     search ended by ldap_result yielding 101
>     ldap_parse_result: 0
>     ldap_parse_result yielded 0: Success
>     LDAP search: returning: user
>     lookup yielded: user
>     search_tidyup called
>     unbind LDAP connection to localhost:8636
>     unbind LDAP connection to ldap.example.org:636

>
> Please notice:
>     - There is no final ">>>> ... terminating with ..." line and exim hangs
>       forever in select()
>     - exim 4.82 emits "ldap_bind() returned -1" and uses the fallback ldap
>       caching server (localhost) but exim 4.80 had no problems with both
>       LDAP servers.
>     - exim 4.80 writes "LDAP_OPT_X_TLS_HARD set" but exim 4.82 emits
>       "Require certificate overrides LDAP_OPT_X_TLS option (0)"


The bugfix was in the logic of requiring a certificate and whether it
is self-signed or not.

>     - although exim 4.82 had a failed bind to primary server and uses the
>       fallback, there is an "unbind" for both.


I think the unbind for the failed one could possibly be detected and
skipped, but it shouldn't hurt to call the unbind.

> Any ideas? Does anyone else notice problems using LDAPS with exim 4.82?


You're the first. That likely means you're not the last. Let's
figure this out. On to your next message.

...Todd
--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine