Fuel for OpenStack

Build openldap ubuntu package to fix SSL problem

Bug #1576258 reported by Nikita Koshikov on 2016-04-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Fuel for OpenStack	Confirmed	Wishlist	MOS Linux	Fuel for OpenStack 10.0

Bug Description

Pre-story:

One of possible ways for solving keystone<->AD integration is to setup openldap proxy in the middle. This schema have benefits, like: multi AD supports and possibility to setup cache, that will reduce AD connections.
Key feature that allows to configure above setup is backend 'meta' in openldap configuration.
Also this architecture is actively proposed to our customers.

Problems start when you try to use backend meta with SSL endpoint, like below:

uri "ldap://win-ad1.test.com/dc=local,dc=tld"
suffixmassage "dc=local,dc=tld" "ou=Unit1,dc=test,dc=com"
map attribute uid sAMAccountName
map objectclass inetOrgPerson person
map objectclass groupOfNames group
tls start
lastmod off
idassert-bind bindmethod=simple
binddn="cn=oadmin,ou=OpenStackUsers,ou=Unit1,dc=test,dc=com"
credentials=passwd
mode=self
tls_reqcert=demand
starttls="yes"
tls_cacert=/etc/ldap/ssl/server1.pem

uri ldaps://win-ad2.test.com/dc=local,dc=tld
suffixmassage "dc=local,dc=tld" "ou=Unit2,dc=test,dc=com"
map attribute uid sAMAccountName
map objectclass inetOrgPerson person
map objectclass groupOfNames group
lastmod off
idassert-bind bindmethod=simple
binddn="cn=oadmin,ou=OpenStackUsers,ou=Unit1,dc=test,dc=com"
credentials="passwd"
mode=self
tls_reqcert=allow
tls_cacert=/etc/ssl/certs/ca-certificates.crt

In short - there are 3 possible connection scheme:
- ldap:// - works
- ldap:// with start_tls - works
- ldaps:// - doesn't work

In example above - second connection will be broken, here is debug:
57221fb5 conn=1004 op=1 >>> meta_search_dobind_init[1]
ldap_sasl_bind
ldap_send_initial_request
ldap_int_poll: fd: 20 tm: 0
ldap_is_sock_ready: 20
ldap_ndelay_off: 20
TLS: can't connect: A TLS packet with unexpected length was received..
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 20
ldap_free_connection: actually freed

Ubuntu 14.04 comes with openldap 2.4.31 version it's broken. Also tested slapd_2.4.42 that comes with 16.04 - it also broken.

Openldap builded from sources (git checkout OPENLDAP_REL_ENG_2_4_44) works as expected. Also master branch works.

This is configure string, that used for self-building:
./configure --prefix=/ --program-prefix=/ --enable-sql=no --disable-ndb --disable-wt --disable-perl --enable-backends=yes --enable-overlays

Tags:

Dmitry Teselkin (teselkin-d) on 2016-04-28

summary:

- Build openldap ubuntu packaga for fixing SSL problem
+ Build openldap ubuntu package to fix SSL problem

Dmitry Teselkin (teselkin-d) on 2016-04-28

Changed in fuel:
assignee:	nobody → MOS Linux (mos-linux)
milestone:	none → 10.0

Revision history for this message

Roman Podoliaka (rpodolyaka) wrote on 2016-05-04:

Not really a bug. I'd rather we stick to the version provided by the distro.

Changed in fuel:
importance:	Undecided → Wishlist
status:	New → Confirmed

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.