ldap: use infinite timeout when using TLS to connect

Using an infinite timeout will make libldap use blocking thread for
establishing the TLS connection both when using StartTTLS and when using
LDAPS. This leaves the LDAP_OPT_NETWORK_TIMEOUT to its
default (-1) when using TLS connection.

Related: rhbz#1992551
Signed-off-by: Antonio Torres <antorres@redhat.com>
This commit is contained in:
Antonio Torres 2022-01-30 19:50:59 +01:00
parent 39a61df66f
commit 4f6ca3e9cc
No known key found for this signature in database
GPG Key ID: 359FAF777296F653
3 changed files with 40 additions and 52 deletions

View File

@ -1,49 +0,0 @@
From ab6bbcc41293ae745c1607618f88e5404b98d769 Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Wed, 13 Oct 2021 13:29:02 +0200
Subject: [PATCH] ldap: allow to connect on partially open handle
The LDAP library returns a partially open connection. Setting the
'retry' flag to true during the module inst creation and the pool start
to 0 allows to connect even if the connection is not completely opened
yet.
Upstream commit: https://github.com/FreeRADIUS/freeradius-server/commit/21d95b268b4cf56e75064898d83123825d673818
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c
index f25ee9e2e0..4b6ae44afb 100644
--- a/src/modules/rlm_ldap/ldap.c
+++ b/src/modules/rlm_ldap/ldap.c
@@ -717,7 +717,8 @@ ldap_rcode_t rlm_ldap_bind(rlm_ldap_t const *inst, REQUEST *request, ldap_handle
* For sanity, for when no connections are viable,
* and we can't make a new one.
*/
- num = retry ? fr_connection_pool_get_num(inst->pool) : 0;
+ num = 0;
+ if (inst->pool && retry) num = fr_connection_pool_get_num(inst->pool);
for (i = num; i >= 0; i--) {
#ifdef WITH_SASL
if (sasl && sasl->mech) {
@@ -758,7 +759,7 @@ ldap_rcode_t rlm_ldap_bind(rlm_ldap_t const *inst, REQUEST *request, ldap_handle
break;
case LDAP_PROC_RETRY:
- if (retry) {
+ if (num) {
*pconn = fr_connection_reconnect(inst->pool, *pconn);
if (*pconn) {
LDAP_DBGW_REQ("Bind with %s to %s failed: %s. Got new socket, retrying...",
@@ -1563,7 +1564,7 @@ void *mod_conn_create(TALLOC_CTX *ctx, void *instance)
}
status = rlm_ldap_bind(inst, NULL, &conn, conn->inst->admin_identity, conn->inst->admin_password,
- &(conn->inst->admin_sasl), false);
+ &(conn->inst->admin_sasl), true);
if (status != LDAP_PROC_SUCCESS) {
goto error;
}
--
2.31.1

View File

@ -0,0 +1,31 @@
From: Antonio Torres <antorres@redhat.com>
Date: Fri, 28 Jan 2022
Subject: Use infinite timeout when using LDAP+start-TLS
This will ensure that the TLS connection to the LDAP server will complete
before starting FreeRADIUS, as it forces libldap to use a blocking socket during
the process. Infinite timeout is the OpenLDAP default.
Avoids this: https://git.openldap.org/openldap/openldap/-/blob/87ffc60006298069a5a044b8e63dab27a61d3fdf/libraries/libldap/tls2.c#L1134
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1992551
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
src/modules/rlm_ldap/ldap.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c
index cf7a84e069..841bf888a1 100644
--- a/src/modules/rlm_ldap/ldap.c
+++ b/src/modules/rlm_ldap/ldap.c
@@ -1472,7 +1472,10 @@ void *mod_conn_create(TALLOC_CTX *ctx, void *instance)
}
#ifdef LDAP_OPT_NETWORK_TIMEOUT
- if (inst->net_timeout) {
+ bool using_tls = inst->start_tls ||
+ inst->port == 636 ||
+ strncmp(inst->server, "ldaps://", strlen("ldaps://")) == 0;
+ if (inst->net_timeout && !using_tls) {
memset(&tv, 0, sizeof(tv));
tv.tv_sec = inst->net_timeout;

View File

@ -1,7 +1,7 @@
Summary: High-performance and highly configurable free RADIUS server Summary: High-performance and highly configurable free RADIUS server
Name: freeradius Name: freeradius
Version: 3.0.21 Version: 3.0.21
Release: 24%{?dist} Release: 25%{?dist}
License: GPLv2+ and LGPLv2+ License: GPLv2+ and LGPLv2+
URL: http://www.freeradius.org/ URL: http://www.freeradius.org/
@ -26,7 +26,7 @@ Patch3: freeradius-bootstrap-create-only.patch
Patch4: freeradius-no-buildtime-cert-gen.patch Patch4: freeradius-no-buildtime-cert-gen.patch
Patch5: freeradius-bootstrap-make-permissions.patch Patch5: freeradius-bootstrap-make-permissions.patch
Patch6: freeradius-Fix-resource-hard-limit-error.patch Patch6: freeradius-Fix-resource-hard-limit-error.patch
Patch7: freeradius-ldap-allow-to-connect-on-partially-open-handle.patch Patch7: freeradius-ldap-infinite-timeout-on-starttls.patch
Patch8: freeradius-Backport-OpenSSL3-fixes.patch Patch8: freeradius-Backport-OpenSSL3-fixes.patch
%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}} %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
@ -55,7 +55,7 @@ BuildRequires: ykclient-devel
# Require OpenSSL version we built with, or newer, to avoid startup failures # Require OpenSSL version we built with, or newer, to avoid startup failures
# due to runtime OpenSSL version checks. # due to runtime OpenSSL version checks.
Requires: openssl >= %(rpm -q --queryformat '%%{EPOCH}:%%{VERSION}' openssl) Requires: openssl >= %(rpm -q --queryformat '%%{VERSION}' openssl)
Requires(pre): shadow-utils glibc-common Requires(pre): shadow-utils glibc-common
Requires(post): systemd-sysv Requires(post): systemd-sysv
Requires(post): systemd-units Requires(post): systemd-units
@ -855,6 +855,12 @@ exit 0
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
%changelog %changelog
* Fri Jan 28 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-25
- Revert "Allow to connect to partially open LDAP handle"
- Use infinite timeout (openldap default) when using LDAP+start-TLS
- Update openssl dependency to not check epoch (was causing detection issues)
Related: rhbz#1992551
* Thu Jan 13 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-24 * Thu Jan 13 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-24
- Avoid segfault when trying to use MD4 without legacy provider - Avoid segfault when trying to use MD4 without legacy provider
Related: rhbz#1978216 Related: rhbz#1978216