dovecot - Oct 2015 - Dovecot auth-ldap ignores tls_* settings when using ldaps://

Hi,

I'm using dovecot 2.2.9 (but after checking src/auth/db-ldap.c in 2.2.13
there seems to be the same bug/feature).

The userdb and passdb use LDAP. All further configuration is done in
auth-ldap.conf.ext.

        uri = ldaps://<host>/
        # tls         tls_cert_file = /etc/ssl/certs/client-cert.pem
        tls_key_file = /etc/ssl/certs/client-key.file

Dovecot ignores the tls_* options. If I use an ldap:// URI and
switch on TLS using tls=yes it works as expected.

But I do not see any reason why LDAPS should not read the tls_*
settings.

This small patch solved it for me

--- dovecot-2.2.9/src/auth/db-ldap.c    2013-11-24 14:37:39.000000000 +0100
+++ dovecot-2.2.9.hs12/src/auth/db-ldap.c       2015-10-08 21:24:47.051446465
+0200
@@ -1043,7 +1043,7 @@
 
 static void db_ldap_set_tls_options(struct ldap_connection *conn)
 {
-       if (!conn->set.tls)
+       if (!(conn->set.tls || strncmp(conn->set.uris, "ldaps:",
6) == 0))
                return;
 
 #ifdef OPENLDAP_TLS_OPTIONS

It would be great, if somebody can confirm this and if this or some
equivalent patch could make it upstream.

    Best regards from Dresden/Germany
    Viele Gr??e aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20151008/fd2aea8e/attachment.sig>

On 08 Oct 2015, at 22:46, Heiko Schlittermann <hs at schlittermann.de>
wrote:
> 
> Hi,
> 
> I'm using dovecot 2.2.9 (but after checking src/auth/db-ldap.c in
2.2.13
> there seems to be the same bug/feature).
> 
> The userdb and passdb use LDAP. All further configuration is done in
> auth-ldap.conf.ext.
> 
>        uri = ldaps://<host>/
>        # tls >        tls_cert_file = /etc/ssl/certs/client-cert.pem
>        tls_key_file = /etc/ssl/certs/client-key.file
> 
> Dovecot ignores the tls_* options. If I use an ldap:// URI and
> switch on TLS using tls=yes it works as expected.
> 
> But I do not see any reason why LDAPS should not read the tls_*
> settings.
I guess.
> This small patch solved it for me
> 
> --- dovecot-2.2.9/src/auth/db-ldap.c    2013-11-24 14:37:39.000000000 +0100
> +++ dovecot-2.2.9.hs12/src/auth/db-ldap.c       2015-10-08
21:24:47.051446465 +0200
> @@ -1043,7 +1043,7 @@
> 
> static void db_ldap_set_tls_options(struct ldap_connection *conn)
> {
> -       if (!conn->set.tls)
> +       if (!(conn->set.tls || strncmp(conn->set.uris,
"ldaps:", 6) == 0))
>                return;
That's a bit ugly. I think also the URIs support multiple ones, so some ldap
and some ldaps URLs could even be mixed, which of course would be quite ugly.. I
think the fix is to just remove the if (tls)-check completely. I don't think
setting those harms anything even if tls/ldaps isn't being used?

Timo Sirainen <tss at iki.fi> (Di 13 Okt 2015 20:19:54 CEST):
..
> > --- dovecot-2.2.9/src/auth/db-ldap.c    2013-11-24 14:37:39.000000000
+0100
> > +++ dovecot-2.2.9.hs12/src/auth/db-ldap.c       2015-10-08
21:24:47.051446465 +0200
> > @@ -1043,7 +1043,7 @@
> > 
> > static void db_ldap_set_tls_options(struct ldap_connection *conn)
> > {
> > -       if (!conn->set.tls)
> > +       if (!(conn->set.tls || strncmp(conn->set.uris,
"ldaps:", 6) == 0))
> >                return;
> 
> That's a bit ugly. I think also the URIs support multiple ones, so some
ldap and some ldaps URLs could even be mixed, which of course would be quite
ugly.. I think the fix is to just remove the if (tls)-check completely. I
don't think setting those harms anything even if tls/ldaps isn't being
used?
Yes, thinking about mixed schema in the URIs whould have been my next
question :)

Ok, I can test what happens if we set tls_options w/o using LDAP+TLS or
LDAPS at all.

    Best regards from Dresden/Germany
    Viele Gr??e aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20151013/cb4aa12f/attachment.sig>