Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve handling of ldaps URLs, LDAPUseTLS directive in mod_ldap #946

Closed
Castaglia opened this issue Mar 24, 2020 · 1 comment
Closed

Improve handling of ldaps URLs, LDAPUseTLS directive in mod_ldap #946

Castaglia opened this issue Mar 24, 2020 · 1 comment
Assignees
@Castaglia
Labels
enhancement
Milestone
1.3.7

Comments

@Castaglia
Copy link
Member

The mod_ldap module supports using TLS to talk to LDAP servers, both implicitly, and explicitly (via STARTTLS).

For implicit TLS connections (which have been deprecated in LDAP, but might still be needed), the URL format of the LDAPServer directive is needed, using the "ldaps" scheme, e.g.:

LDAPServer ldaps://ldap.example.com

And for explicit, STARTTLS-like TLS, the LDAPUseTLS directive is used, e.g.:

LDAPServer ldap://ldap.example.com
LDAPUseTLS on

So far, so good. However, if you mistakenly configure both, like so:

LDAPServer ldaps://ldap.example.com
LDAPUseTLS on

then mod_ldap will try to connect immediately using SSL/TLS, and try to do STARTTLS afterward. This will cause the connection to fail with the non-specific error:

Can't contact LDAP server

which implies a network issue -- and is completely misleading.

To prevent such confusion, I propose to modify mod_ldap that when the "ldaps" scheme is used
for an LDAPServer URL, any LDAPUseTLS directive is ignored (with a notice/warning logged about doing so). By using "ldaps", the admin is saying they want to use implicit TLS; trying to honor LDAPUseTLS (either on or off) is redundant at that point.
@Castaglia Castaglia self-assigned this Mar 24, 2020
@Castaglia Castaglia added this to the 1.3.7 milestone Mar 24, 2020
@Castaglia
Copy link
Member Author

I will also need to improve handling/checks of configurations like:

LDAPServer ldap://ldap1.example.com ldaps://ldap2.example.com

since the LDAPServer directive can take multiple URLs/parameters, not all of which are guaranteed to use the same scheme.

Castaglia added a commit that referenced this issue Mar 28, 2020
@Castaglia
Issue #946: Handle LDAPS URLs and "LDAPUseTLS on" configurations in a…
eaf0c49 
… much

more graceful fashion, working as the user would expect.

Note that this also makes mod_ldap more efficient, as LDAPServer configurations
are only parse _once_, rather per-connect.
@Castaglia Castaglia mentioned this issue Mar 28, 2020
Closed
Castaglia added a commit that referenced this issue Mar 28, 2020
@Castaglia
Merge pull request #949 from proftpd/ldap-use-tls-better-issue946
f90676c 
Issue #946: Handle LDAPS URLs and "LDAPUseTLS on" configurations in a…
Castaglia added a commit that referenced this issue Mar 28, 2020
@Castaglia
Update NEWS for fix for Issue #946.
7b49633
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Castaglia Castaglia

Labels
enhancement
Projects
None yet
Milestone
1.3.7
Development

No branches or pull requests
1 participant
@Castaglia