We would like to enforce SSL on LDAP queries.
I added the following to slapd.conf
# security - other directives
# forces a bind operation before DIT access
require bind
# Use of reads on ldaps only port forces use
# of TLS/SSL but not a minimum value
# this directive forces a minimum value
security simple_bind=128Works fine for “external” queries, but breaks “internal” queries (see attachment).
Is it possible to make UCS SSL proof?
Hello rgerbranda,
LDAP error #13 means that the Java client did not meet the security requirements. Either it tried to communicate unencrypted, or it did not agree on an algorithm strong enough. Additionally, you may have to register the UCS Domain CA certificate with Java as it does not use the system’s own certificate store.
What do you mean by “internal” and “external” queries?
Regards,
Frank Greif.
Hi Frank,
I will explain the images I have added.
The LDAP error #13 is what I want to achieve. I want to prohibit unencrypted communication by LDAP browsers.
So when I enforce “security simple_bind=128” it works as intended for LDAP browsers.
The problem is in UCS itself. When I enforce encrypted communication, I get error “The module proces died unexpectly”.
Obviously for some routines in UCS unencrypted communication is required. Is it possible to make all communication encrypted?
Kind regards,
Remko
Hi,
as far as I understood the LDAP and security concepts of UCS I assumed that even if the ports 389/7389 are used all components are using TLS.
My collegue Frank Greif did some investigations and it appears that there are some internal mechanisms which have to be adjusted to work with enforced SSL.
The error message you posted does unfortunately not show which component is causing the error.
You can help to improve UCS if you could provide some informations from the logs. I’d expect to see something in /var/log/univention/management-console-*.log.
Best Regards,
Dirk Ahrnke
Hi Dirk,
The following modules are failing: Users (/univention-management-console/?lang=en-US#module=udm:users/user:0:), Groups, LDAP directory, DNS
Some snaps from the log files.
Kind regards,
Remko
File: management-console-server.log
24.11.16 14:00:30.953 MAIN ( PROCESS ) : running: ['/usr/sbin/univention-management-console-module', '-m', 'udm', '-s', '/var/run/univention-management-console/3127-1479992430952.socket', '-d', '2', '-l', 'en_US.UTF-8']
24.11.16 14:00:31.378 MAIN ( WARN ) : Socket died (module=udm)
24.11.16 14:00:31.378 MAIN ( WARN ) : Module process udm died (pid: 4503, exit status: -1, signal: -1, status: -1)
24.11.16 14:00:31.378 MAIN ( WARN ) : Cleaning up requests
24.11.16 14:00:31.378 MAIN ( WARN ) : Invalidating all pending requests 147999243094353-26, 147999243135996-6
24.11.16 14:00:31.379 MAIN ( WARN ) : Remove inactivity timer
24.11.16 14:00:31.379 MAIN ( PROCESS ) : ModuleProcess: child died
24.11.16 14:00:31.379 MAIN ( WARN ) : Module process udm died (pid: 4503, exit status: -1, signal: 6, status: 6)File: management-console-module-udm.log
24.11.16 13:59:23.278 DEBUG_INIT
24.11.16 13:59:23.566 LDAP ( ERROR ) : ldap_simple_bind: Operations errorHi,
the management-console-module-udm.log is just saying what we already assumed.
I was hoping that we could see which call/request was causing the error. Would it be possible to increase log verbosity? I guess we need this:
umc/module/debug/level: 4
The verbosity of log messages in /var/log/univention/management-console-module-*. Possible values: 0-4/99 (0: only error messages to 4: all debug statements, with = 99 sensitive data like cleartext passwords is logged as well).
Thanks,
Dirk
Hi Dirk,
It isn’t much information I can add, maybe it is helpfull
24.11.16 17:12:49.484 ADMIN ( INFO ) : admin.syntax.import_syntax_files: importing "/usr/lib/pymodules/python2.7/univention/admin/syntax.d/samlserviceprovider.py"
24.11.16 17:12:49.484 ADMIN ( INFO ) : admin.syntax.import_syntax_files: importing "/usr/lib/pymodules/python2.7/univention/admin/syntax.d/example.py"
24.11.16 17:12:49.484 ADMIN ( INFO ) : admin.syntax.import_syntax_files: importing "/usr/lib/pymodules/python2.7/univention/admin/syntax.d/__init__.py"
24.11.16 17:12:49.485 ADMIN ( INFO ) : admin.syntax.import_syntax_files: importing "/usr/lib/pymodules/python2.7/univention/admin/syntax.d/univention-virtual-machine-manager-schema.py"
24.11.16 17:12:49.485 ADMIN ( INFO ) : admin.syntax.import_hook_files: importing "/usr/lib/pymodules/python2.7/univention/admin/hooks.d/__init__.py"
24.11.16 17:12:49.580 ADMIN ( INFO ) : admin.syntax.import_syntax_files: importing "/usr/lib/pymodules/python2.7/univention/admin/syntax.d/samlserviceprovider.py"
24.11.16 17:12:49.580 ADMIN ( INFO ) : admin.syntax.import_syntax_files: importing "/usr/lib/pymodules/python2.7/univention/admin/syntax.d/example.py"
24.11.16 17:12:49.581 ADMIN ( INFO ) : admin.syntax.import_syntax_files: importing "/usr/lib/pymodules/python2.7/univention/admin/syntax.d/__init__.py"
24.11.16 17:12:49.581 ADMIN ( INFO ) : admin.syntax.import_syntax_files: importing "/usr/lib/pymodules/python2.7/univention/admin/syntax.d/univention-virtual-machine-manager-schema.py"
24.11.16 17:12:49.582 ADMIN ( INFO ) : admin.syntax.import_hook_files: importing "/usr/lib/pymodules/python2.7/univention/admin/hooks.d/__init__.py"
24.11.16 17:12:49.582 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/container/dc"
24.11.16 17:12:49.600 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/container/cn"
24.11.16 17:12:49.601 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/container/ou"
24.11.16 17:12:49.601 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/uvmm/cloudtype"
24.11.16 17:12:49.602 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/uvmm/info"
24.11.16 17:12:49.602 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/uvmm/profile"
24.11.16 17:12:49.603 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/uvmm/cloudconnection"
24.11.16 17:12:49.603 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/saml/serviceprovider"
24.11.16 17:12:49.604 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/networks/network"
24.11.16 17:12:49.604 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/dhcp/server"
24.11.16 17:12:49.605 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/dhcp/shared"
24.11.16 17:12:49.605 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/dhcp/host"
24.11.16 17:12:49.606 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/dhcp/service"
24.11.16 17:12:49.606 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/dhcp/pool"
24.11.16 17:12:49.606 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/dhcp/dhcp"
24.11.16 17:12:49.607 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/dhcp/subnet"
24.11.16 17:12:49.607 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/dhcp/sharedsubnet"
24.11.16 17:12:49.607 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/mail/mail"
24.11.16 17:12:49.608 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/mail/folder"
24.11.16 17:12:49.608 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/mail/domain"
24.11.16 17:12:49.608 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/mail/lists"
24.11.16 17:12:49.609 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/settings/ldapacl"
24.11.16 17:12:49.609 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/settings/xconfig_choices"
24.11.16 17:12:49.609 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/settings/extended_attribute"
24.11.16 17:12:49.610 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/settings/syntax"
24.11.16 17:12:49.611 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/settings/cn"
24.11.16 17:12:49.611 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/settings/extended_options"
24.11.16 17:12:49.612 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/settings/sambadomain"
24.11.16 17:12:49.612 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/settings/ldapschema"
24.11.16 17:12:49.613 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/settings/prohibited_username"
24.11.16 17:12:49.613 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/settings/printermodel"
24.11.16 17:12:49.613 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/settings/default"
24.11.16 17:12:49.613 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/settings/service"
24.11.16 17:12:49.614 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/settings/packages"
24.11.16 17:12:49.614 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/settings/udm_hook"
24.11.16 17:12:49.615 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/settings/umc_operationset"
24.11.16 17:12:49.615 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/settings/udm_syntax"
24.11.16 17:12:49.616 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/settings/usertemplate"
24.11.16 17:12:49.619 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/settings/udm_module"
24.11.16 17:12:49.619 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/settings/settings"
24.11.16 17:12:49.620 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/settings/lock"
24.11.16 17:12:49.620 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/settings/license"
24.11.16 17:12:49.620 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/settings/directory"
24.11.16 17:12:49.620 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/settings/sambaconfig"
24.11.16 17:12:49.621 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/settings/printeruri"
24.11.16 17:12:49.621 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/computers/windows_domaincontroller"
24.11.16 17:12:49.621 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/computers/linux"
24.11.16 17:12:49.621 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/computers/domaincontroller_backup"
24.11.16 17:12:49.621 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/computers/ipmanagedclient"
24.11.16 17:12:49.621 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/computers/ubuntu"
24.11.16 17:12:49.622 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/computers/windows"
24.11.16 17:12:49.622 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/computers/domaincontroller_master"
24.11.16 17:12:49.622 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/computers/computer"
24.11.16 17:12:49.622 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/computers/trustaccount"
24.11.16 17:12:49.622 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/computers/domaincontroller_slave"
24.11.16 17:12:49.622 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/computers/macos"
24.11.16 17:12:49.622 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/computers/memberserver"
24.11.16 17:12:49.622 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/policies/admin_container"
24.11.16 17:12:49.635 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/policies/dhcp_scope"
24.11.16 17:12:49.635 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/policies/dhcp_boot"
24.11.16 17:12:49.635 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/policies/pwhistory"
24.11.16 17:12:49.635 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/policies/registry"
24.11.16 17:12:49.635 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/policies/dhcp_netbios"
24.11.16 17:12:49.635 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/policies/desktop"
24.11.16 17:12:49.635 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/policies/printserver"
24.11.16 17:12:49.635 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/policies/repositoryserver"
24.11.16 17:12:49.635 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/policies/memberpackages"
24.11.16 17:12:49.635 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/policies/policy"
24.11.16 17:12:49.635 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/policies/ldapserver"
24.11.16 17:12:49.635 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/policies/share_userquota"
24.11.16 17:12:49.635 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/policies/print_quota"
24.11.16 17:12:49.635 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/policies/dhcp_statements"
24.11.16 17:12:49.635 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/policies/dhcp_dns"
24.11.16 17:12:49.635 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/policies/autostart"
24.11.16 17:12:49.635 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/policies/umc"
24.11.16 17:12:49.635 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/policies/maintenance"
24.11.16 17:12:49.635 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/policies/dhcp_dnsupdate"
24.11.16 17:12:49.635 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/policies/release"
24.11.16 17:12:49.635 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/policies/slavepackages"
24.11.16 17:12:49.635 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/policies/masterpackages"
24.11.16 17:12:49.635 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/policies/nfsmounts"
24.11.16 17:12:49.635 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/policies/dhcp_leasetime"
24.11.16 17:12:49.635 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/policies/repositorysync"
24.11.16 17:12:49.635 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/policies/dhcp_routing"
24.11.16 17:12:49.636 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/dns/forward_zone"
24.11.16 17:12:49.636 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/dns/alias"
24.11.16 17:12:49.636 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/dns/host_record"
24.11.16 17:12:49.638 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/dns/txt_record"
24.11.16 17:12:49.638 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/dns/ptr_record"
24.11.16 17:12:49.639 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/dns/srv_record"
24.11.16 17:12:49.639 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/dns/reverse_zone"
24.11.16 17:12:49.639 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/dns/dns"
24.11.16 17:12:49.640 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/appcenter/app"
24.11.16 17:12:49.640 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/groups/group"
24.11.16 17:12:49.640 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/kerberos/kdcentry"
24.11.16 17:12:49.641 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/shares/printergroup"
24.11.16 17:12:49.641 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/shares/printer"
24.11.16 17:12:49.642 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/shares/print"
24.11.16 17:12:49.642 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/shares/share"
24.11.16 17:12:49.644 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/nagios/service"
24.11.16 17:12:49.644 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/nagios/nagios"
24.11.16 17:12:49.646 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/nagios/timeperiod"
24.11.16 17:12:49.646 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/users/user"
24.11.16 17:12:49.646 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/users/self"
24.11.16 17:12:49.646 ADMIN ( INFO ) : admin.modules.update: importing "univention/admin/handlers/users/passwd"
24.11.16 17:12:49.650 MAIN ( INFO ) : Initialising server process
24.11.16 17:12:49.650 MAIN ( INFO ) : Using a UNIX socket
24.11.16 17:12:49.650 SSL ( INFO ) : Server listening to connections
24.11.16 17:12:49.673 MAIN ( INFO ) : Incoming connection from
24.11.16 17:12:49.674 PARSER ( INFO ) : UMCP REQUEST 148000396967300-4 parsed successfully
24.11.16 17:12:49.674 MODULE ( INFO ) : Received request 148000396967300-4
24.11.16 17:12:49.674 PROTOCOL ( INFO ) : Received UMCP SET REQUEST 148000396967300-4
24.11.16 17:12:49.674 MODULE ( INFO ) : Setting specified locale (en_US.UTF-8)
24.11.16 17:12:49.675 MODULE ( INFO ) : Setting user LDAP DN 'uid=Administrator,cn=users,dc=finalist,dc=tst'
24.11.16 17:12:49.675 MODULE ( INFO ) : Initializing module as user 'uid=Administrator,cn=users,dc=finalist,dc=tst'
24.11.16 17:12:49.689 LDAP ( ERROR ) : ldap_simple_bind: Operations errorAttached I have some error messages found by Firebug.
The error is in dojo.js, line 1167
Hello,
I approached the problem from ‘behind’, and perhaps found the script that is internally called from what you saw at the surface:
/usr/share/pyshared/univention/admincli/admin.py:1028: p1 = subprocess.Popen(['univention_policy_result'] + policyOptions + [utf8_objectdn], stdout=subprocess.PIPE)
/usr/share/pyshared/univention/admincli/admin.py:1067: p1 = subprocess.Popen(['univention_policy_result'] + policyOptions + [utf8_subnet_dn], stdout=subprocess.PIPE)So it boils down to the fact that this script does not pass host/port/TLS parameters to the ‘univention_policy_result’ binary, and this in turn uses its built-in defaults. I didn’t dig into its source just yet.
The help text of univention_policy_result does not even mention a ‘port’ argument, and nothing at all about encryption. It seems likely that equipping this binary with encryption capabilities by default would finally fix most of the behaviour you have encountered.
Regards,
Frank Greif.
Hello,
just FYI, erratum 368 for UCS 4.1 (Jan 5 2017) fixed univention-policy-result such that it now always uses TLS. At least in my test scenario, I didn’t see any LDAP clear text communication anymore.
Regards,
Frank Greif.
Hi Frank,
Thanks for the information!
I started testing and found that the join-script fails. When opening the join-page I get:
17.01.17 21:08:19.279 PARSER ( INFO ) : UMCP REQUEST 148468369918018-342 parsed successfully
17.01.17 21:08:19.279 MODULE ( INFO ) : Received request 148468369918018-342
17.01.17 21:08:19.279 PROTOCOL ( INFO ) : Received UMCP COMMAND REQUEST 148468369918018-342
17.01.17 21:08:19.279 MODULE ( INFO ) : Executing ['join/master']
17.01.17 21:08:19.281 PROTOCOL ( INFO ) : Sending UMCP RESPONSE 148468369918018-342
17.01.17 21:08:19.284 PARSER ( INFO ) : UMCP REQUEST 148468369923175-344 parsed successfully
17.01.17 21:08:19.284 MODULE ( INFO ) : Received request 148468369923175-344
17.01.17 21:08:19.284 PROTOCOL ( INFO ) : Received UMCP COMMAND REQUEST 148468369923175-344
17.01.17 21:08:19.284 MODULE ( INFO ) : Executing ['join/locked']
17.01.17 21:08:19.285 PROTOCOL ( INFO ) : Sending UMCP RESPONSE 148468369923175-344
17.01.17 21:08:19.287 PARSER ( INFO ) : UMCP REQUEST 148468369925083-345 parsed successfully
17.01.17 21:08:19.287 MODULE ( INFO ) : Received request 148468369925083-345
17.01.17 21:08:19.287 PROTOCOL ( INFO ) : Received UMCP COMMAND REQUEST 148468369925083-345
17.01.17 21:08:19.287 MODULE ( INFO ) : Executing ['join/joined']
17.01.17 21:08:19.287 PROTOCOL ( INFO ) : Sending UMCP RESPONSE 148468369925083-345
17.01.17 21:08:19.287 PARSER ( INFO ) : UMCP REQUEST 148468369925396-346 parsed successfully
17.01.17 21:08:19.287 MODULE ( INFO ) : Received request 148468369925396-346
17.01.17 21:08:19.287 PROTOCOL ( INFO ) : Received UMCP COMMAND REQUEST 148468369925396-346
17.01.17 21:08:19.287 MODULE ( INFO ) : Executing ['join/running']
17.01.17 21:08:19.287 PROTOCOL ( INFO ) : Sending UMCP RESPONSE 148468369925396-346
17.01.17 21:08:19.493 PARSER ( INFO ) : UMCP REQUEST 148468369943530-348 parsed successfully
17.01.17 21:08:19.493 MODULE ( INFO ) : Received request 148468369943530-348
17.01.17 21:08:19.493 PROTOCOL ( INFO ) : Received UMCP COMMAND REQUEST 148468369943530-348
17.01.17 21:08:19.493 MODULE ( INFO ) : Executing ['join/scripts/query']
17.01.17 21:08:19.689 MODULE ( PROCESS ) : Error: ldapsearch -x failed
17.01.17 21:08:19.689 PROTOCOL ( INFO ) : Sending UMCP RESPONSE 148468369943530-348and
Start /usr/sbin/univention-check-join-status at Tue Jan 17 21:09:03 CET 2017
ldap_bind: Confidentiality required (13)
additional info: confidentiality required
Error: ldapsearch -x failedCan you reproduce this?
Kind regards,
Remko
Hello Remko,
Yes, I can confirm that. You have just found the next culprit doing unencrypted LDAP queries.
univention-check-join-status looks like this:
if ! ldapsearch -x -h "$ldap_master" -p "$ldap_master_port" -D "$ldap_hostdn" -w "$(</etc/machine.secret)" -b "$ldap_base" -s base >>"$LOG_FILE" 2>&1
then
log_error "ldapsearch -x failed"
fi
if ! ldapsearch -x -ZZ -h "$ldap_master" -p "$ldap_master_port" -D "$ldap_hostdn" -w "$(</etc/machine.secret)" -b "$ldap_base" -s base >>"$LOG_FILE" 2>&1
then
log_error "ldapsearch -x -ZZ failed"
fi
Thinking about the logic: “try to connect unencrypted, FAIL the whole script if it doesn’t succeed” and then “try to connect with STARTTLS, FAIL the whole script too if it does not succeed”. From my point of view, the first query is unnecessary. Why do they have to ENSURE that an unencrypted ldapsearch will succeed?
Commenting away the first of these two queries will make univention-check-join-status work as intended: it works even if cleartext communication is inhibited (at least in my test environment).
Doing a simple grep over all shell and Python scripts in my test environment reveals that there are lots of ‘ldapsearch’ and related operations without -ZZ. Perhaps you’re right, and it’s a nearly impossible task to avoid unencrypted LDAP traffic.
Regards,
Frank Greif.
Hi Remko,
Just yesterday, [bug]43425[/bug] appeared, so the problem is now being addressed in the current development.
Regards,
Frank Greif.
Hi Frank,
I found a complicated one: bind-sdb + LDAP backend
Configuration file: /etc/bind/univention.conf.d/finalist.tst
zone "finalist.tst" {
type master;
notify yes;
database "ldap ldap://127.0.0.1:7389/zoneName=finalist.tst,cn=dns,dc=finalist,dc=tst????!bindname=cn=t-ucs%2ccn=dc%2ccn=computers%2cdc=finalist%2cdc=tst,!x-bindpw=xyxyxyxyxy,x-tls 172800";
};Although the parameter ‘x-tls’ is added by default by Univention, bind fails when enforcing SSL
Error message in /var/log/syslog
LDAP sdb zone 'finalist.tst': bind failedThis is an interesting one… StartTLS normaly requires a match of hostname in the URL and Certificate… the hostname comes from DNS… DNS is not working when SSL is enforced
Nice challenge.
Kind regards,
Remko
Hi Remko,
I don’t think that presenting the certificate is the problem here. A joined computer knows its own name/domain and owns a certificate issued to it, all without asking DNS or LDAP.
I’d think that the ‘x-tls’ option is not honored at all: Bind tries unencrypted communication, and gives up. If I add an exclamation mark this way ‘!x-tls’, making it a critical option, Bind logs:
named[5067]: LDAP sdb zone '122.168.192.in-addr.arpa': URL: unknown critical extensionOn the other hand, changing the protocol to ‘ldaps://’ and the port to 7636 works immediately, even without the ‘x-tls’ attribute.
To make it permanent, you could edit /usr/lib/univention-directory-listener/system/bind.py lines 118 and 139.
Regards,
Frank Greif.