Re: [squid-users] basic_ldap_auth problem under Fedora

From: Jose-Marcio Martins <Jose-Marcio.Martins_at_mines-paristech.fr>
Date: Thu, 05 Jun 2014 11:52:40 +0200

On 06/05/2014 05:57 AM, Amos Jeffries wrote:
> On 4/06/2014 9:14 p.m., Jose-Marcio Martins wrote:
>> On 06/03/2014 08:00 PM, Amos Jeffries wrote:
>>> On 3/06/2014 8:23 a.m., Jose-Marcio Martins wrote:
>>
>>>
>>> What do you see running it manually with that command line?
>>
>> Good hint. The same thing, see below. And problem solved !!!
>>
>>> If its crashing you could also try running it under a debugger to find
>>> out why.
>>
>> In fact it doesn't crash. It terminates as this is the normal behavior
>> of the helper when TLS connection fails.
>>
>> In fact the problem comes from outside the helper. TLS connection fails
>> because openldap libraries do check the validity of server certificate.
>> Although it's a valid certificate, it fails... 8-(
>>
>> The solution is to put this lines in /etc/openldap/ldap.conf :
>>
>> TLS_REQCERT never
>> TLS_CRLCHECK none
>>
>> Maybe it could be a good idea to force this from inside the helper as
>> ldap.conf is a server wide configuration and, for some people, not so
>> easy to debug.
>
> If anyone wants to produce a patch the helper definitely needs to print
> an error message about the TLS failure.

OK. I'll put this in my todo list. I'm working on anoter helper (acl/redirect), and can spend some
time here.

>
> Disabling TLS like that is generaly not the right thing to do though.

Yes, because it's a server wide.

>
> Some more debugging is needed to find out why the cert is valid and
> still failing verification.

Yes, a more verbose message.

In this case, what can be done, I guess, is to get the error result from the "ldap_start_tls_s" call
and pass it to "ldap_error" to get the human readable version of the error and add it to the the
current error message. I can do this. For a more verbose message, one can need tools like strace.

In *my particular case* :

> Perhapse the LDAP server or Squid machine TLS/SSL library needs updating?

No. It's an up to date fedora box with quite recent openssl library.

> or the ca-certificates set used by one of them?

Ha, ha... It's an official and still valid certificate (Comodo), but the chain doesn't seem to be
present inside fedora stock...

> or just a tweak of the acceptible ciphersuites?

Not in my case.

>
> Worst case regenerating the "valid" cert using up-to-date ciphers and
> key lengths may be necessary if it is a very old cert.
>
> Amos
>

-- 
  Envoyé de ma machine à écrire.
  ---------------------------------------------------------------
   Spam : Classement statistique de messages électroniques -
          Une approche pragmatique
   Chez Amazon.fr : http://amzn.to/LEscRu ou http://bit.ly/SpamJM
  ---------------------------------------------------------------
  Jose Marcio MARTINS DA CRUZ            http://www.j-chkmail.org
  Ecole des Mines de Paris                   http://bit.ly/SpamJM
  60, bd Saint Michel                      75272 - PARIS CEDEX 06
Received on Thu Jun 05 2014 - 09:52:50 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 05 2014 - 12:00:05 MDT