ldap: use infinite timeout when using TLS to connect
Using an infinite timeout will make libldap use blocking thread for establishing the TLS connection both when using StartTTLS and when using LDAPS. This leaves the LDAP_OPT_NETWORK_TIMEOUT to its default (-1) when using TLS connection. Related: rhbz#1992551 Signed-off-by: Antonio Torres <antorres@redhat.com>
This commit is contained in:
parent
39a61df66f
commit
4f6ca3e9cc
@ -1,49 +0,0 @@
|
|||||||
From ab6bbcc41293ae745c1607618f88e5404b98d769 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Antonio Torres <antorres@redhat.com>
|
|
||||||
Date: Wed, 13 Oct 2021 13:29:02 +0200
|
|
||||||
Subject: [PATCH] ldap: allow to connect on partially open handle
|
|
||||||
|
|
||||||
The LDAP library returns a partially open connection. Setting the
|
|
||||||
'retry' flag to true during the module inst creation and the pool start
|
|
||||||
to 0 allows to connect even if the connection is not completely opened
|
|
||||||
yet.
|
|
||||||
|
|
||||||
Upstream commit: https://github.com/FreeRADIUS/freeradius-server/commit/21d95b268b4cf56e75064898d83123825d673818
|
|
||||||
|
|
||||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
|
||||||
---
|
|
||||||
diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c
|
|
||||||
index f25ee9e2e0..4b6ae44afb 100644
|
|
||||||
--- a/src/modules/rlm_ldap/ldap.c
|
|
||||||
+++ b/src/modules/rlm_ldap/ldap.c
|
|
||||||
@@ -717,7 +717,8 @@ ldap_rcode_t rlm_ldap_bind(rlm_ldap_t const *inst, REQUEST *request, ldap_handle
|
|
||||||
* For sanity, for when no connections are viable,
|
|
||||||
* and we can't make a new one.
|
|
||||||
*/
|
|
||||||
- num = retry ? fr_connection_pool_get_num(inst->pool) : 0;
|
|
||||||
+ num = 0;
|
|
||||||
+ if (inst->pool && retry) num = fr_connection_pool_get_num(inst->pool);
|
|
||||||
for (i = num; i >= 0; i--) {
|
|
||||||
#ifdef WITH_SASL
|
|
||||||
if (sasl && sasl->mech) {
|
|
||||||
@@ -758,7 +759,7 @@ ldap_rcode_t rlm_ldap_bind(rlm_ldap_t const *inst, REQUEST *request, ldap_handle
|
|
||||||
break;
|
|
||||||
|
|
||||||
case LDAP_PROC_RETRY:
|
|
||||||
- if (retry) {
|
|
||||||
+ if (num) {
|
|
||||||
*pconn = fr_connection_reconnect(inst->pool, *pconn);
|
|
||||||
if (*pconn) {
|
|
||||||
LDAP_DBGW_REQ("Bind with %s to %s failed: %s. Got new socket, retrying...",
|
|
||||||
@@ -1563,7 +1564,7 @@ void *mod_conn_create(TALLOC_CTX *ctx, void *instance)
|
|
||||||
}
|
|
||||||
|
|
||||||
status = rlm_ldap_bind(inst, NULL, &conn, conn->inst->admin_identity, conn->inst->admin_password,
|
|
||||||
- &(conn->inst->admin_sasl), false);
|
|
||||||
+ &(conn->inst->admin_sasl), true);
|
|
||||||
if (status != LDAP_PROC_SUCCESS) {
|
|
||||||
goto error;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
31
freeradius-ldap-infinite-timeout-on-starttls.patch
Normal file
31
freeradius-ldap-infinite-timeout-on-starttls.patch
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
From: Antonio Torres <antorres@redhat.com>
|
||||||
|
Date: Fri, 28 Jan 2022
|
||||||
|
Subject: Use infinite timeout when using LDAP+start-TLS
|
||||||
|
|
||||||
|
This will ensure that the TLS connection to the LDAP server will complete
|
||||||
|
before starting FreeRADIUS, as it forces libldap to use a blocking socket during
|
||||||
|
the process. Infinite timeout is the OpenLDAP default.
|
||||||
|
Avoids this: https://git.openldap.org/openldap/openldap/-/blob/87ffc60006298069a5a044b8e63dab27a61d3fdf/libraries/libldap/tls2.c#L1134
|
||||||
|
|
||||||
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1992551
|
||||||
|
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||||
|
---
|
||||||
|
src/modules/rlm_ldap/ldap.c | 5 ++++-
|
||||||
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c
|
||||||
|
index cf7a84e069..841bf888a1 100644
|
||||||
|
--- a/src/modules/rlm_ldap/ldap.c
|
||||||
|
+++ b/src/modules/rlm_ldap/ldap.c
|
||||||
|
@@ -1472,7 +1472,10 @@ void *mod_conn_create(TALLOC_CTX *ctx, void *instance)
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef LDAP_OPT_NETWORK_TIMEOUT
|
||||||
|
- if (inst->net_timeout) {
|
||||||
|
+ bool using_tls = inst->start_tls ||
|
||||||
|
+ inst->port == 636 ||
|
||||||
|
+ strncmp(inst->server, "ldaps://", strlen("ldaps://")) == 0;
|
||||||
|
+ if (inst->net_timeout && !using_tls) {
|
||||||
|
memset(&tv, 0, sizeof(tv));
|
||||||
|
tv.tv_sec = inst->net_timeout;
|
||||||
|
|
@ -1,7 +1,7 @@
|
|||||||
Summary: High-performance and highly configurable free RADIUS server
|
Summary: High-performance and highly configurable free RADIUS server
|
||||||
Name: freeradius
|
Name: freeradius
|
||||||
Version: 3.0.21
|
Version: 3.0.21
|
||||||
Release: 24%{?dist}
|
Release: 25%{?dist}
|
||||||
License: GPLv2+ and LGPLv2+
|
License: GPLv2+ and LGPLv2+
|
||||||
URL: http://www.freeradius.org/
|
URL: http://www.freeradius.org/
|
||||||
|
|
||||||
@ -26,7 +26,7 @@ Patch3: freeradius-bootstrap-create-only.patch
|
|||||||
Patch4: freeradius-no-buildtime-cert-gen.patch
|
Patch4: freeradius-no-buildtime-cert-gen.patch
|
||||||
Patch5: freeradius-bootstrap-make-permissions.patch
|
Patch5: freeradius-bootstrap-make-permissions.patch
|
||||||
Patch6: freeradius-Fix-resource-hard-limit-error.patch
|
Patch6: freeradius-Fix-resource-hard-limit-error.patch
|
||||||
Patch7: freeradius-ldap-allow-to-connect-on-partially-open-handle.patch
|
Patch7: freeradius-ldap-infinite-timeout-on-starttls.patch
|
||||||
Patch8: freeradius-Backport-OpenSSL3-fixes.patch
|
Patch8: freeradius-Backport-OpenSSL3-fixes.patch
|
||||||
|
|
||||||
%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
|
%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
|
||||||
@ -55,7 +55,7 @@ BuildRequires: ykclient-devel
|
|||||||
|
|
||||||
# Require OpenSSL version we built with, or newer, to avoid startup failures
|
# Require OpenSSL version we built with, or newer, to avoid startup failures
|
||||||
# due to runtime OpenSSL version checks.
|
# due to runtime OpenSSL version checks.
|
||||||
Requires: openssl >= %(rpm -q --queryformat '%%{EPOCH}:%%{VERSION}' openssl)
|
Requires: openssl >= %(rpm -q --queryformat '%%{VERSION}' openssl)
|
||||||
Requires(pre): shadow-utils glibc-common
|
Requires(pre): shadow-utils glibc-common
|
||||||
Requires(post): systemd-sysv
|
Requires(post): systemd-sysv
|
||||||
Requires(post): systemd-units
|
Requires(post): systemd-units
|
||||||
@ -855,6 +855,12 @@ exit 0
|
|||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jan 28 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-25
|
||||||
|
- Revert "Allow to connect to partially open LDAP handle"
|
||||||
|
- Use infinite timeout (openldap default) when using LDAP+start-TLS
|
||||||
|
- Update openssl dependency to not check epoch (was causing detection issues)
|
||||||
|
Related: rhbz#1992551
|
||||||
|
|
||||||
* Thu Jan 13 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-24
|
* Thu Jan 13 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-24
|
||||||
- Avoid segfault when trying to use MD4 without legacy provider
|
- Avoid segfault when trying to use MD4 without legacy provider
|
||||||
Related: rhbz#1978216
|
Related: rhbz#1978216
|
||||||
|
Loading…
Reference in New Issue
Block a user