LDAP - enforce SSL


#1

We would like to enforce SSL on LDAP queries.

I added the following to slapd.conf

# security - other directives
# forces a bind operation before DIT access
require bind
# Use of reads on ldaps only port forces use
# of TLS/SSL but not a minimum value
# this directive forces a minimum value
security simple_bind=128

Works fine for “external” queries, but breaks “internal” queries (see attachment).

Is it possible to make UCS SSL proof?





#2

Hello rgerbranda,

LDAP error #13 means that the Java client did not meet the security requirements. Either it tried to communicate unencrypted, or it did not agree on an algorithm strong enough. Additionally, you may have to register the UCS Domain CA certificate with Java as it does not use the system’s own certificate store.

What do you mean by “internal” and “external” queries?

Regards,
Frank Greif.


#3

Hi Frank,

I will explain the images I have added.

The LDAP error #13 is what I want to achieve. I want to prohibit unencrypted communication by LDAP browsers.
So when I enforce “security simple_bind=128” it works as intended for LDAP browsers.

The problem is in UCS itself. When I enforce encrypted communication, I get error “The module proces died unexpectly”.

Obviously for some routines in UCS unencrypted communication is required. Is it possible to make all communication encrypted?

Kind regards,
Remko


#4

Hi,

as far as I understood the LDAP and security concepts of UCS I assumed that even if the ports 389/7389 are used all components are using TLS.

My collegue Frank Greif did some investigations and it appears that there are some internal mechanisms which have to be adjusted to work with enforced SSL.
The error message you posted does unfortunately not show which component is causing the error.
You can help to improve UCS if you could provide some informations from the logs. I’d expect to see something in /var/log/univention/management-console-*.log.

Best Regards,
Dirk Ahrnke


#5

Hi Dirk,

The following modules are failing: Users (/univention-management-console/?lang=en-US#module=udm:users/user:0:), Groups, LDAP directory, DNS

Some snaps from the log files.

Kind regards,
Remko

File: management-console-server.log

24.11.16 14:00:30.953  MAIN        ( PROCESS ) : running: ['/usr/sbin/univention-management-console-module', '-m', 'udm', '-s', '/var/run/univention-management-console/3127-1479992430952.socket', '-d', '2', '-l', 'en_US.UTF-8']
24.11.16 14:00:31.378  MAIN        ( WARN    ) : Socket died (module=udm)
24.11.16 14:00:31.378  MAIN        ( WARN    ) : Module process udm died (pid: 4503, exit status: -1, signal: -1, status: -1)
24.11.16 14:00:31.378  MAIN        ( WARN    ) : Cleaning up requests
24.11.16 14:00:31.378  MAIN        ( WARN    ) : Invalidating all pending requests 147999243094353-26, 147999243135996-6
24.11.16 14:00:31.379  MAIN        ( WARN    ) : Remove inactivity timer
24.11.16 14:00:31.379  MAIN        ( PROCESS ) : ModuleProcess: child died
24.11.16 14:00:31.379  MAIN        ( WARN    ) : Module process udm died (pid: 4503, exit status: -1, signal: 6, status: 6)

File: management-console-module-udm.log

24.11.16 13:59:23.278  DEBUG_INIT
24.11.16 13:59:23.566  LDAP        ( ERROR   ) : ldap_simple_bind: Operations error

#6

Hi,

the management-console-module-udm.log is just saying what we already assumed.

I was hoping that we could see which call/request was causing the error. Would it be possible to increase log verbosity? I guess we need this:

umc/module/debug/level: 4 The verbosity of log messages in /var/log/univention/management-console-module-*. Possible values: 0-4/99 (0: only error messages to 4: all debug statements, with = 99 sensitive data like cleartext passwords is logged as well).

Thanks,
Dirk


#7

Hi Dirk,

It isn’t much information I can add, maybe it is helpfull

24.11.16 17:12:49.484  ADMIN       ( INFO    ) : admin.syntax.import_syntax_files: importing "/usr/lib/pymodules/python2.7/univention/admin/syntax.d/samlserviceprovider.py"
24.11.16 17:12:49.484  ADMIN       ( INFO    ) : admin.syntax.import_syntax_files: importing "/usr/lib/pymodules/python2.7/univention/admin/syntax.d/example.py"
24.11.16 17:12:49.484  ADMIN       ( INFO    ) : admin.syntax.import_syntax_files: importing "/usr/lib/pymodules/python2.7/univention/admin/syntax.d/__init__.py"
24.11.16 17:12:49.485  ADMIN       ( INFO    ) : admin.syntax.import_syntax_files: importing "/usr/lib/pymodules/python2.7/univention/admin/syntax.d/univention-virtual-machine-manager-schema.py"
24.11.16 17:12:49.485  ADMIN       ( INFO    ) : admin.syntax.import_hook_files: importing "/usr/lib/pymodules/python2.7/univention/admin/hooks.d/__init__.py"
24.11.16 17:12:49.580  ADMIN       ( INFO    ) : admin.syntax.import_syntax_files: importing "/usr/lib/pymodules/python2.7/univention/admin/syntax.d/samlserviceprovider.py"
24.11.16 17:12:49.580  ADMIN       ( INFO    ) : admin.syntax.import_syntax_files: importing "/usr/lib/pymodules/python2.7/univention/admin/syntax.d/example.py"
24.11.16 17:12:49.581  ADMIN       ( INFO    ) : admin.syntax.import_syntax_files: importing "/usr/lib/pymodules/python2.7/univention/admin/syntax.d/__init__.py"
24.11.16 17:12:49.581  ADMIN       ( INFO    ) : admin.syntax.import_syntax_files: importing "/usr/lib/pymodules/python2.7/univention/admin/syntax.d/univention-virtual-machine-manager-schema.py"
24.11.16 17:12:49.582  ADMIN       ( INFO    ) : admin.syntax.import_hook_files: importing "/usr/lib/pymodules/python2.7/univention/admin/hooks.d/__init__.py"
24.11.16 17:12:49.582  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/container/dc"
24.11.16 17:12:49.600  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/container/cn"
24.11.16 17:12:49.601  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/container/ou"
24.11.16 17:12:49.601  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/uvmm/cloudtype"
24.11.16 17:12:49.602  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/uvmm/info"
24.11.16 17:12:49.602  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/uvmm/profile"
24.11.16 17:12:49.603  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/uvmm/cloudconnection"
24.11.16 17:12:49.603  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/saml/serviceprovider"
24.11.16 17:12:49.604  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/networks/network"
24.11.16 17:12:49.604  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/dhcp/server"
24.11.16 17:12:49.605  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/dhcp/shared"
24.11.16 17:12:49.605  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/dhcp/host"
24.11.16 17:12:49.606  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/dhcp/service"
24.11.16 17:12:49.606  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/dhcp/pool"
24.11.16 17:12:49.606  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/dhcp/dhcp"
24.11.16 17:12:49.607  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/dhcp/subnet"
24.11.16 17:12:49.607  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/dhcp/sharedsubnet"
24.11.16 17:12:49.607  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/mail/mail"
24.11.16 17:12:49.608  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/mail/folder"
24.11.16 17:12:49.608  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/mail/domain"
24.11.16 17:12:49.608  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/mail/lists"
24.11.16 17:12:49.609  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/settings/ldapacl"
24.11.16 17:12:49.609  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/settings/xconfig_choices"
24.11.16 17:12:49.609  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/settings/extended_attribute"
24.11.16 17:12:49.610  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/settings/syntax"
24.11.16 17:12:49.611  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/settings/cn"
24.11.16 17:12:49.611  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/settings/extended_options"
24.11.16 17:12:49.612  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/settings/sambadomain"
24.11.16 17:12:49.612  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/settings/ldapschema"
24.11.16 17:12:49.613  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/settings/prohibited_username"
24.11.16 17:12:49.613  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/settings/printermodel"
24.11.16 17:12:49.613  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/settings/default"
24.11.16 17:12:49.613  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/settings/service"
24.11.16 17:12:49.614  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/settings/packages"
24.11.16 17:12:49.614  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/settings/udm_hook"
24.11.16 17:12:49.615  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/settings/umc_operationset"
24.11.16 17:12:49.615  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/settings/udm_syntax"
24.11.16 17:12:49.616  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/settings/usertemplate"
24.11.16 17:12:49.619  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/settings/udm_module"
24.11.16 17:12:49.619  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/settings/settings"
24.11.16 17:12:49.620  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/settings/lock"
24.11.16 17:12:49.620  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/settings/license"
24.11.16 17:12:49.620  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/settings/directory"
24.11.16 17:12:49.620  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/settings/sambaconfig"
24.11.16 17:12:49.621  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/settings/printeruri"
24.11.16 17:12:49.621  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/computers/windows_domaincontroller"
24.11.16 17:12:49.621  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/computers/linux"
24.11.16 17:12:49.621  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/computers/domaincontroller_backup"
24.11.16 17:12:49.621  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/computers/ipmanagedclient"
24.11.16 17:12:49.621  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/computers/ubuntu"
24.11.16 17:12:49.622  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/computers/windows"
24.11.16 17:12:49.622  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/computers/domaincontroller_master"
24.11.16 17:12:49.622  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/computers/computer"
24.11.16 17:12:49.622  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/computers/trustaccount"
24.11.16 17:12:49.622  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/computers/domaincontroller_slave"
24.11.16 17:12:49.622  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/computers/macos"
24.11.16 17:12:49.622  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/computers/memberserver"
24.11.16 17:12:49.622  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/policies/admin_container"
24.11.16 17:12:49.635  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/policies/dhcp_scope"
24.11.16 17:12:49.635  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/policies/dhcp_boot"
24.11.16 17:12:49.635  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/policies/pwhistory"
24.11.16 17:12:49.635  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/policies/registry"
24.11.16 17:12:49.635  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/policies/dhcp_netbios"
24.11.16 17:12:49.635  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/policies/desktop"
24.11.16 17:12:49.635  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/policies/printserver"
24.11.16 17:12:49.635  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/policies/repositoryserver"
24.11.16 17:12:49.635  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/policies/memberpackages"
24.11.16 17:12:49.635  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/policies/policy"
24.11.16 17:12:49.635  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/policies/ldapserver"
24.11.16 17:12:49.635  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/policies/share_userquota"
24.11.16 17:12:49.635  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/policies/print_quota"
24.11.16 17:12:49.635  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/policies/dhcp_statements"
24.11.16 17:12:49.635  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/policies/dhcp_dns"
24.11.16 17:12:49.635  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/policies/autostart"
24.11.16 17:12:49.635  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/policies/umc"
24.11.16 17:12:49.635  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/policies/maintenance"
24.11.16 17:12:49.635  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/policies/dhcp_dnsupdate"
24.11.16 17:12:49.635  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/policies/release"
24.11.16 17:12:49.635  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/policies/slavepackages"
24.11.16 17:12:49.635  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/policies/masterpackages"
24.11.16 17:12:49.635  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/policies/nfsmounts"
24.11.16 17:12:49.635  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/policies/dhcp_leasetime"
24.11.16 17:12:49.635  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/policies/repositorysync"
24.11.16 17:12:49.635  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/policies/dhcp_routing"
24.11.16 17:12:49.636  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/dns/forward_zone"
24.11.16 17:12:49.636  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/dns/alias"
24.11.16 17:12:49.636  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/dns/host_record"
24.11.16 17:12:49.638  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/dns/txt_record"
24.11.16 17:12:49.638  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/dns/ptr_record"
24.11.16 17:12:49.639  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/dns/srv_record"
24.11.16 17:12:49.639  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/dns/reverse_zone"
24.11.16 17:12:49.639  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/dns/dns"
24.11.16 17:12:49.640  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/appcenter/app"
24.11.16 17:12:49.640  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/groups/group"
24.11.16 17:12:49.640  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/kerberos/kdcentry"
24.11.16 17:12:49.641  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/shares/printergroup"
24.11.16 17:12:49.641  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/shares/printer"
24.11.16 17:12:49.642  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/shares/print"
24.11.16 17:12:49.642  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/shares/share"
24.11.16 17:12:49.644  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/nagios/service"
24.11.16 17:12:49.644  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/nagios/nagios"
24.11.16 17:12:49.646  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/nagios/timeperiod"
24.11.16 17:12:49.646  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/users/user"
24.11.16 17:12:49.646  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/users/self"
24.11.16 17:12:49.646  ADMIN       ( INFO    ) : admin.modules.update: importing "univention/admin/handlers/users/passwd"
24.11.16 17:12:49.650  MAIN        ( INFO    ) : Initialising server process
24.11.16 17:12:49.650  MAIN        ( INFO    ) : Using a UNIX socket
24.11.16 17:12:49.650  SSL         ( INFO    ) : Server listening to connections
24.11.16 17:12:49.673  MAIN        ( INFO    ) : Incoming connection from 
24.11.16 17:12:49.674  PARSER      ( INFO    ) : UMCP REQUEST 148000396967300-4 parsed successfully
24.11.16 17:12:49.674  MODULE      ( INFO    ) : Received request 148000396967300-4
24.11.16 17:12:49.674  PROTOCOL    ( INFO    ) : Received UMCP SET REQUEST 148000396967300-4
24.11.16 17:12:49.674  MODULE      ( INFO    ) : Setting specified locale (en_US.UTF-8)
24.11.16 17:12:49.675  MODULE      ( INFO    ) : Setting user LDAP DN 'uid=Administrator,cn=users,dc=finalist,dc=tst'
24.11.16 17:12:49.675  MODULE      ( INFO    ) : Initializing module as user 'uid=Administrator,cn=users,dc=finalist,dc=tst'
24.11.16 17:12:49.689  LDAP        ( ERROR   ) : ldap_simple_bind: Operations error

#8

Attached I have some error messages found by Firebug.

The error is in dojo.js, line 1167



#9

Hello,

I approached the problem from ‘behind’, and perhaps found the script that is internally called from what you saw at the surface:

/usr/share/pyshared/univention/admincli/admin.py:1028:                                  p1 = subprocess.Popen(['univention_policy_result'] + policyOptions + [utf8_objectdn], stdout=subprocess.PIPE)
/usr/share/pyshared/univention/admincli/admin.py:1067:                                                                  p1 = subprocess.Popen(['univention_policy_result'] + policyOptions + [utf8_subnet_dn], stdout=subprocess.PIPE)

So it boils down to the fact that this script does not pass host/port/TLS parameters to the ‘univention_policy_result’ binary, and this in turn uses its built-in defaults. I didn’t dig into its source just yet.

The help text of univention_policy_result does not even mention a ‘port’ argument, and nothing at all about encryption. It seems likely that equipping this binary with encryption capabilities by default would finally fix most of the behaviour you have encountered.

Regards,
Frank Greif.


#10

Hello,

just FYI, erratum 368 for UCS 4.1 (Jan 5 2017) fixed univention-policy-result such that it now always uses TLS. At least in my test scenario, I didn’t see any LDAP clear text communication anymore.

Regards,
Frank Greif.


#11

Hi Frank,

Thanks for the information!

I started testing and found that the join-script fails. When opening the join-page I get:

17.01.17 21:08:19.279  PARSER      ( INFO    ) : UMCP REQUEST 148468369918018-342 parsed successfully
17.01.17 21:08:19.279  MODULE      ( INFO    ) : Received request 148468369918018-342
17.01.17 21:08:19.279  PROTOCOL    ( INFO    ) : Received UMCP COMMAND REQUEST 148468369918018-342
17.01.17 21:08:19.279  MODULE      ( INFO    ) : Executing ['join/master']
17.01.17 21:08:19.281  PROTOCOL    ( INFO    ) : Sending UMCP RESPONSE 148468369918018-342
17.01.17 21:08:19.284  PARSER      ( INFO    ) : UMCP REQUEST 148468369923175-344 parsed successfully
17.01.17 21:08:19.284  MODULE      ( INFO    ) : Received request 148468369923175-344
17.01.17 21:08:19.284  PROTOCOL    ( INFO    ) : Received UMCP COMMAND REQUEST 148468369923175-344
17.01.17 21:08:19.284  MODULE      ( INFO    ) : Executing ['join/locked']
17.01.17 21:08:19.285  PROTOCOL    ( INFO    ) : Sending UMCP RESPONSE 148468369923175-344
17.01.17 21:08:19.287  PARSER      ( INFO    ) : UMCP REQUEST 148468369925083-345 parsed successfully
17.01.17 21:08:19.287  MODULE      ( INFO    ) : Received request 148468369925083-345
17.01.17 21:08:19.287  PROTOCOL    ( INFO    ) : Received UMCP COMMAND REQUEST 148468369925083-345
17.01.17 21:08:19.287  MODULE      ( INFO    ) : Executing ['join/joined']
17.01.17 21:08:19.287  PROTOCOL    ( INFO    ) : Sending UMCP RESPONSE 148468369925083-345
17.01.17 21:08:19.287  PARSER      ( INFO    ) : UMCP REQUEST 148468369925396-346 parsed successfully
17.01.17 21:08:19.287  MODULE      ( INFO    ) : Received request 148468369925396-346
17.01.17 21:08:19.287  PROTOCOL    ( INFO    ) : Received UMCP COMMAND REQUEST 148468369925396-346
17.01.17 21:08:19.287  MODULE      ( INFO    ) : Executing ['join/running']
17.01.17 21:08:19.287  PROTOCOL    ( INFO    ) : Sending UMCP RESPONSE 148468369925396-346
17.01.17 21:08:19.493  PARSER      ( INFO    ) : UMCP REQUEST 148468369943530-348 parsed successfully
17.01.17 21:08:19.493  MODULE      ( INFO    ) : Received request 148468369943530-348
17.01.17 21:08:19.493  PROTOCOL    ( INFO    ) : Received UMCP COMMAND REQUEST 148468369943530-348
17.01.17 21:08:19.493  MODULE      ( INFO    ) : Executing ['join/scripts/query']
17.01.17 21:08:19.689  MODULE      ( PROCESS ) : Error: ldapsearch -x failed
17.01.17 21:08:19.689  PROTOCOL    ( INFO    ) : Sending UMCP RESPONSE 148468369943530-348

and

Start /usr/sbin/univention-check-join-status at Tue Jan 17 21:09:03 CET 2017
ldap_bind: Confidentiality required (13)
	additional info: confidentiality required
Error: ldapsearch -x failed

Can you reproduce this?

Kind regards,
Remko


#12

Hello Remko,

Yes, I can confirm that. You have just found the next culprit doing unencrypted LDAP queries.

univention-check-join-status looks like this:

if ! ldapsearch -x -h "$ldap_master" -p "$ldap_master_port" -D "$ldap_hostdn" -w "$(</etc/machine.secret)" -b "$ldap_base" -s base >>"$LOG_FILE" 2>&1
then
        log_error "ldapsearch -x failed"
fi


if ! ldapsearch -x -ZZ -h "$ldap_master" -p "$ldap_master_port" -D "$ldap_hostdn" -w "$(</etc/machine.secret)" -b "$ldap_base" -s base >>"$LOG_FILE" 2>&1
then
        log_error "ldapsearch -x -ZZ failed"
fi

Thinking about the logic: “try to connect unencrypted, FAIL the whole script if it doesn’t succeed” and then “try to connect with STARTTLS, FAIL the whole script too if it does not succeed”. From my point of view, the first query is unnecessary. Why do they have to ENSURE that an unencrypted ldapsearch will succeed?

Commenting away the first of these two queries will make univention-check-join-status work as intended: it works even if cleartext communication is inhibited (at least in my test environment).

Doing a simple grep over all shell and Python scripts in my test environment reveals that there are lots of ‘ldapsearch’ and related operations without -ZZ. Perhaps you’re right, and it’s a nearly impossible task to avoid unencrypted LDAP traffic.

Regards,
Frank Greif.


#13

Hi Remko,

Just yesterday, [bug]43425[/bug] appeared, so the problem is now being addressed in the current development.

Regards,
Frank Greif.


#14

Hi Frank,

I found a complicated one: bind-sdb + LDAP backend

Configuration file: /etc/bind/univention.conf.d/finalist.tst

zone "finalist.tst" {
	type master;
	notify yes;
	database "ldap ldap://127.0.0.1:7389/zoneName=finalist.tst,cn=dns,dc=finalist,dc=tst????!bindname=cn=t-ucs%2ccn=dc%2ccn=computers%2cdc=finalist%2cdc=tst,!x-bindpw=xyxyxyxyxy,x-tls 172800";
};

Although the parameter ‘x-tls’ is added by default by Univention, bind fails when enforcing SSL

Error message in /var/log/syslog

LDAP sdb zone 'finalist.tst': bind failed

This is an interesting one… StartTLS normaly requires a match of hostname in the URL and Certificate… the hostname comes from DNS… DNS is not working when SSL is enforced

Nice challenge.

Kind regards,
Remko


#15

Hi Remko,

I don’t think that presenting the certificate is the problem here. A joined computer knows its own name/domain and owns a certificate issued to it, all without asking DNS or LDAP.

I’d think that the ‘x-tls’ option is not honored at all: Bind tries unencrypted communication, and gives up. If I add an exclamation mark this way ‘!x-tls’, making it a critical option, Bind logs:

named[5067]: LDAP sdb zone '122.168.192.in-addr.arpa': URL: unknown critical extension

On the other hand, changing the protocol to ‘ldaps://’ and the port to 7636 works immediately, even without the ‘x-tls’ attribute.

To make it permanent, you could edit /usr/lib/univention-directory-listener/system/bind.py lines 118 and 139.

Regards,
Frank Greif.