openldap-bugs

openldap-bugs@openldap.org

1 participants
21001 discussions

Re: (ITS#8920) OpenLDAP
by quanah＠symas.com 24 Sep '18

24 Sep '18

--On Tuesday, September 25, 2018 2:06 AM +0000 hyc(a)symas.com wrote: >> Why the openldap client can not use TLS1.3? > > RedHat builds their OpenLDAP packages with MozillaNSS, not OpenSSL. Incorrect. Their latest builds for RHEL7 use OpenSSL. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: (ITS#8920) OpenLDAP
by hyc＠symas.com 24 Sep '18

24 Sep '18

nanmor(a)126.com wrote: > Full_Name: Nancy Mo > Version: openldap-clients-2.4.44-15.el7_5.x86_64 > OS: Redhat 7 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (106.38.0.87) > > > Hi team, > > Linux server is redhat7, and installed Openssl-1.1.1 which is support for > TLS1.3。 > I tried to connect a LDAP server which is used TLS1.3, the openldap client > connection failed, if the server setting change to TLS 1.2, it can connected > successfully。 > By the way, use the openssl s_client -connect HOSTNAME.com:636, it will use TLS > 1.3, and connect successfully. > In the ldap.conf, I have set two parameters： > > TLS_CACERTDIR /etc/openldap/certs > TLS_REQCERT never > > Why the openldap client can not use TLS1.3? RedHat builds their OpenLDAP packages with MozillaNSS, not OpenSSL. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#8920) OpenLDAP
by quanah＠symas.com 24 Sep '18

24 Sep '18

--On Tuesday, September 25, 2018 1:46 AM +0000 nanmor(a)126.com wrote: > Full_Name: Nancy Mo > Version: openldap-clients-2.4.44-15.el7_5.x86_64 > OS: Redhat 7 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (106.38.0.87) Hello, The ITS system is for bug reports only. Please direct usage questions to the openldap-technical list. I will note that I've tested OpenLDAP 2.4.46 with both startTLS and LDAPS using TLS 1.3 when compiled on both the server and client side with OpenSSL 1.1.1 and it worked correctly. You will need to provide significantly more information about your configuration/setup when contacting the openldap-technical list for any further assistance. I would also note that official support for OpenSSL 1.1.0 and later was not added until the OpenLDAP 2.4.45 release, with further fixes in the OpenLDAP 2.4.46 release. Thus I would advise a first step of upgrading to OpenLDAP 2.4.46. Warm regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

(ITS#8920) OpenLDAP
by nanmor＠126.com 24 Sep '18

24 Sep '18

Full_Name: Nancy Mo Version: openldap-clients-2.4.44-15.el7_5.x86_64 OS: Redhat 7 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (106.38.0.87) Hi team, Linux server is redhat7, and installed Openssl-1.1.1 which is support for TLS1.3。 I tried to connect a LDAP server which is used TLS1.3, the openldap client connection failed, if the server setting change to TLS 1.2, it can connected successfully。 By the way, use the openssl s_client -connect HOSTNAME.com:636, it will use TLS 1.3, and connect successfully. In the ldap.conf, I have set two parameters： TLS_CACERTDIR /etc/openldap/certs TLS_REQCERT never Why the openldap client can not use TLS1.3? Thanks a lot. beat regards nancy

1 0

Re: (ITS#8919) common.c:2329: suspicious expression ?
by hyc＠symas.com 24 Sep '18

24 Sep '18

dcb314(a)hotmail.com wrote: > Full_Name: David Binderman > Version: 2.4.46 > OS: Linux > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (79.65.83.114) > > > common.c:2329:10: warning: logical not is only applied to the left hand side of > this bitwise operator [-Wlogical-not-parentheses] Next time please provide a full pathname, not just a filename. Next time please use "git diff" or "git format-patch" > Source code is > > if ( !tool_ctrl_response[j].mask & tool_type ) { > > Maybe better code: > > if ( !(tool_ctrl_response[j].mask & tool_type) ) { > > I can recommend compiling the openldap product with the clang C/C++ compiler. Next time read the code you're commenting on. This is an empty if statement, it has no effect regardless. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#8919) common.c:2329: suspicious expression ?
by hyc＠symas.com 22 Sep '18

22 Sep '18

dcb314(a)hotmail.com wrote: > Full_Name: David Binderman > Version: 2.4.46 > OS: Linux > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (79.65.83.114) > > > common.c:2329:10: warning: logical not is only applied to the left hand side of > this bitwise operator [-Wlogical-not-parentheses] > > Source code is > > if ( !tool_ctrl_response[j].mask & tool_type ) { > > Maybe better code: > > if ( !(tool_ctrl_response[j].mask & tool_type) ) { > > I can recommend compiling the openldap product with the clang C/C++ compiler. Please use diff. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#8917) OpenLDAP
by quanah＠symas.com 22 Sep '18

22 Sep '18

--On Saturday, September 22, 2018 11:56 PM +0200 Matus Honek <mhonek(a)redhat.com> wrote: > However, I believe TLS 1.3 already works with OpenLDAP and OpenSSL. > You might want to give a try to Docker image fedora:rawhide. I was > able to successfully establish TLS 1.3 connection ldapsearch<->slapd. Hi Matus, I just happened to be looking into this yesterday (ITS#8914) and was able to successfully compile OpenLDAP with OpenSSL 1.1.1 without issue as well, and was able to confirm (via the TLS testsuite available in the OpenLDAP HEAD release) that TLS 1.3 works fine. I've followed up with the person who filed ITS#8914 to give more information on what issue(s) they faced since it works for me. Warm regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: (ITS#8917) OpenLDAP
by mhonek＠redhat.com 22 Sep '18

22 Sep '18

Thanks for the response Quanah. You're right they're mentioning "some" LDAP server. And as you indirectly mentioned, with OpenSSL 1.0 the TLS 1.3 is not supported. However, I believe TLS 1.3 already works with OpenLDAP and OpenSSL. You might want to give a try to Docker image fedora:rawhide. I was able to successfully establish TLS 1.3 connection ldapsearch<->slapd. Tested with: openldap-2.4.46-8.fc30.x86_64 openssl-1.1.1-0.pre9.2.fc30.x86_64 HTH Best regards, Matus On Fri, Sep 21, 2018 at 8:23 PM Quanah Gibson-Mount <quanah(a)symas.com> wrot= e: > > --On Friday, September 21, 2018 10:59 AM +0000 mhonek(a)redhat.com wrote: > > > Hi Nancy, > > > > I'm not aware of RHEL7 shipping with OpenSSL-1.1, OpenLDAP is linked > > with openssl-1.0.2 there. > > > > Anyway, please report all issues related to TLS in OpenLDAP in Red Hat > > products to Red Hat Support or Bugzilla, first. > > Based on what I read in their report, they have an LDAP server (not > OpenLDAP) that has TLS 1.3 support, and the ldapsearch binaries on their > RedHat system won't negotiate TLS 1.3 with that server. This is not > surprising, as TLS 1.3 support in OpenSSL is only in the 1.1.1 release > series and OpenLDAP is not yet updated to link to OpenSSL 1.1.1 (See > ITS#8914). I'm currently examining what's necessary for such support. I > would not expect any OpenLDAP based ldapsearch binary to be able to > negotiate TLS 1.3 at this time, and I definitely wouldn't expect any Linu= x > distribution OpenLDAP based ldapsearch binary to support it for quite som= e > time. GnuTLS also only recently added TLS 1.3 support in the 3.6.3 relea= se > as of July 2018, so this would not work in debian based distributions > either unless running the very bleeding edge. > > Warm regards, > Quanah > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > --=20 Mat=C3=BA=C5=A1 Hon=C4=9Bk Software Engineer Red Hat Czech

1 0

(ITS#8919) common.c:2329: suspicious expression ?
by dcb314＠hotmail.com 22 Sep '18

22 Sep '18

Full_Name: David Binderman Version: 2.4.46 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (79.65.83.114) common.c:2329:10: warning: logical not is only applied to the left hand side of this bitwise operator [-Wlogical-not-parentheses] Source code is if ( !tool_ctrl_response[j].mask & tool_type ) { Maybe better code: if ( !(tool_ctrl_response[j].mask & tool_type) ) { I can recommend compiling the openldap product with the clang C/C++ compiler.

1 0

(ITS#8918) sasl.c:326: possible bad assignment ?
by dcb314＠hotmail.com 22 Sep '18

22 Sep '18

Full_Name: David Binderman Version: 2.4.46 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (79.65.83.114) sasl.c:326:6: warning: equality comparison result unused [-Wunused-comparison] view +326 openldap/openldap-2.4.46/servers/slapd/sasl.c Source code is if ( !conn ) { rc == LDAP_SUCCESS; goto done; } Suggest new code if ( !conn ) { rc = LDAP_SUCCESS; goto done; }

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs