search

389ds / 389-ds-base

The enterprise-class Open Source LDAP server for Linux
https://www.port389.org/
Other
212 stars 91 forks source link

dsconf replication monitor is unable to validate TLS Certificates for other replication instances #4967

Open fager opened 2 years ago

fager commented 2 years ago

Issue Description "dsconf replication monitor" does not show remote status informations when repl-agmt are created with --conn-protocol=ldaps.

Package Version and Platform:

(other versions not tested yet)

Steps to Reproduce Steps to reproduce the behavior:

  1. Setup Multi-Supplier with ldaps replication between instances
  2. Create .dsrc as described in documentation
  3. run: dsconf replication monitor
  4. See error in "screenshots" below
  5. run: dsconf -vvv replication monitor
  6. See details in "screehsorts" below

Expected results Replication status informations for all repl-agmt on all instances

Screenshots

Own instance data is displayed as expected.

Data for all other instances is missing:

Supplier: 192.0.2.10:636
-----------------------
Replica Status: Unavailable - Can't contact LDAP server

Debug-Output from "dsconf -vvv ...":

DEBUG: Allocate <class 'lib389.DirSrv'> with 192.0.2.10:636
DEBUG: open(): Connecting to uri ldaps://192.0.2.10:636/
DEBUG: Using dirsrv ca certificate /etc/dirsrv/slapd-template
DEBUG: Using external ca certificate /etc/dirsrv/slapd-template
DEBUG: Using external ca certificate /etc/dirsrv/slapd-template
DEBUG: Using certificate policy 1
DEBUG: ldap.OPT_X_TLS_REQUIRE_CERT = 1
DEBUG: Cannot connect to 'ldaps://192.0.2.10:636/'
DEBUG: Connection to consumer (192.0.2.10:636) failed, error: {'desc': "Can't contact LDAP server", 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)'}

Additional context The tls_cacertdir setting in dsrc is only valid for the local instance-sections.

All repl-monitor-connections connections are initialized with empty defaults and only the host, port, bind-user and bind-password fields can be set.

As alll replication partners must work with server-certificates from the same ca the normal tls context from /etc/dirsrv/slapd-/ should work for the replication monitor.

As soon as i create /etc/dirsrv/slapd-template and put required certificates (with c_rehash) in there, the dsconf output is as expected.

jchapma commented 2 years ago

We suspect that the server is behaving as expected, we need more information to determine if this is a bug, RFE or misconfiguration.

droideck commented 2 years ago

@fager, do I understand correctly that you mean that 'tls_cacertdir' local path to CA certificate should be taken into account in the 'replication monitor' operation?

fager commented 2 years ago

@droideck, i try to explain this a bit more detailed...

The ldap-connection in lib389 requires the tls_cacertdir as described in man 5 ldap.conf (TLS_CACERTDIR) to verify the Server-Cert from the target instance.

There are two possibe ways for the connection configuration in the .dsrc file:

  1. there is a detailed instance-section in .dsrc with the tls_cacertdir parameter
  2. the connection are listed in the repl-monitor-connection section

As far as i could read from the python code, there is no default-way to set tls_cacertdir for the connection entries in the repl-monitor-connection section. lib389 has "somewere" (i could find it) a fallback value of "/etc/dirsrv/slapd-template" for the tls_cacertdir setting:

DEBUG: Using dirsrv ca certificate /etc/dirsrv/slapd-template

Because the "/etc/dirsrv/slapd-template" directory does not exist the lib389 connection is unable to validate the peer-certificate.

A default Instance installation has the necessary files in the main configuration directory:

18a51399.0 -> ca.crt
61031c04.0 -> Server-Cert.crt
ca.crt
Server-Cert.crt

A possible solution may be to change the default-value for tls_cacertdir from "/etc/dirsrv/slapd-template" to "/etc/dirsrv/slapd-$INSTANCE_NAME" or to allow a default-section in the .dsrc file to set the tls_cacertdir for all connections.

fager commented 2 years ago

Found some related Issues/BZ: