Bug 1575 - CA check in tl-ldap-certalias cannot be disabled
Summary: CA check in tl-ldap-certalias cannot be disabled
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Smart card (show other bugs)
Version: trunk
Hardware: PC Linux
: P2 Enhancement
Target Milestone: LowPrio
Assignee: Peter Åstrand
URL:
Keywords:
: 4101 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-10-13 11:11 CEST by Erik Forsberg
Modified: 2022-09-13 13:36 CEST (History)
3 users (show)

See Also:
Acceptance Criteria:


Attachments

Description Erik Forsberg cendio 2005-10-13 11:11:22 CEST
On some distributions, the openldap libraries are configured to demand a valid
TLS certificate whenever a ldaps connection is setup. This can be configured
away by setting TLS_REQCERT never in /etc/openldap/ldap.conf (or
/etc/ldap/ldap.conf, depending on distribution).

There is also the possibility to do that per application by calling

    ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)

..in python programs. We do that in the TLNC, but not for the rest of our LDAP
applications.

Setting this weakens the security, so we should think about it before
implementing it in all scripts. Implementing bug 1535 may help, since that will
actually fetch the certificate that is needed. TLNC still needs to be able to
connect without certificate though, or we'd get a chicken and egg problem.
Comment 1 Peter Åstrand cendio 2005-11-14 13:19:43 CET
We should solve this by having a ThinLinc-global configuration parameter. 
Comment 2 Peter Åstrand cendio 2006-06-13 16:35:21 CEST
Decided on devmeeting: Perhaps it's sufficient if it's possible to change this
on a system global basis. In that case, we don't need a TL-specific
configuration parameter, but we could document the issue. Investigate. 
Comment 3 Erik Forsberg cendio 2006-06-14 08:44:13 CEST
Also investigate why demoldapvi on maggie gives:

$ ./demoldapvi
ldap_bind: Can't contact LDAP server (-1)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

..when Peter tries to run it, even though he has a ~/.ldaprc with TLS_REQCERT
never. 
Comment 4 Erik Forsberg cendio 2006-07-06 11:47:47 CEST
As the comments say - investigate and document. Make sure we understand how
settings in /etc/openldap/ldap.conf and /etc/ldap.conf interoperate. 
Comment 5 Erik Forsberg cendio 2006-07-06 11:58:11 CEST
Worth to note is that the certificate downloading in bug bug 1535 should
probably download the certificate to a location where it can be read not only by
nss/pam_ldap, but also by the system's LDAP library, which will allow other
applications, for example our own LDAP reading/setting software, to use secure
ssl as well.

Comment 6 Thomas Nilefalk cendio 2016-12-20 11:07:32 CET
Decided that this means making tl-ldap-certalias configurable.
Comment 7 Pierre Ossman cendio 2022-09-13 13:36:57 CEST
*** Bug 4101 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.