First Last Prev Next    This bug is not in your last search results.
Bug 54408 - LDAP connection API change: set OPT_X_TLS_NEWCTX
LDAP connection API change: set OPT_X_TLS_NEWCTX
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UDM (Generic)
UCS 5.0
Other Linux
: P5 normal (vote)
: UCS 5.0-1-errata
Assigned To: Christian Castens
Florian Best
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-02-01 22:33 CET by Florian Best
Modified: 2022-02-23 16:29 CET (History)
2 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): API change
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2022-02-01 22:33:35 CET 
Future versions of python-ldap require to set `OPT_X_TLS_NEWCTX` to `0` in order to establish a TLS connection.

> Warning
> 
> libldap does not materialize all TLS settings immediately. You must use OPT_X_TLS_NEWCTX with value 0 to instruct libldap to apply pending TLS settings and create a new internal TLS context:
> 
> conn = ldap.initialize("ldap://ldap.example")
> conn.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/ca.pem')
> conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
> conn.start_tls_s()
> conn.simple_bind_s(dn, password)

https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap.html#tls-options

Otherwise a CONNECT_ERROR is raised and one is unable to use STARTTLS:
ldap.CONNECT_ERROR: {'result': -11, 'desc': 'Connect error', 'ctrls': [], 'info': '(unknown error code)'}

We should set this option already now because:
* prevent errors during future upgrades
* be able to use uldap.py in docker containers with more recent versions (e.g. in projects)
Comment 2 Christian Castens univentionstaff 2022-02-17 19:19:06 CET 
Successful build
Package: univention-python
Version: 13.0.2-6A~5.0.0.202202171908
Branch: ucs_5.0-0
Scope: errata5.0-1

Successful build
Package: univention-ad-connector
Version: 14.0.8-6A~5.0.0.202202171718
Branch: ucs_5.0-0
Scope: errata5.0-1

Successful build
Package: ucs-test
Version: 10.0.6-98A~5.0.0.202202171913
Branch: ucs_5.0-0
Scope: errata5.0-1

As the first comment states, future python-ldap versions (3.3.0 onwards) will require the option `OPT_X_TLS_NEWCTX` to be set for TLS encrypted LDAP connections whenever certain other TLS settings are set via set_option().

For example, after the `OPT_X_TLS_CACERTFILE` option is set, there has to be an additional set_option(ldap.OPT_X_TLS_NEWCTX, 0) for the corresponding LDAP connection.

For further information on this please follow the link that was posted in the first comment.


Branch: 5.0-1
dbe60ed10082504282d546ce6b36c84c3a33dd72
Comment 3 Florian Best univentionstaff 2022-02-18 09:43:48 CET 
OK: ucs-test
OK: univention-python
OK: univention-ad-connector
OK: I could not find any further usage in UCS or UCS@school
OK: YAML

univention-python.yaml
64a0ad767d57 | Bug #54408: yaml
52383652efc2 | Bug #54408: yamls
dbe60ed10082 | Bug #54408: set OPT_X_TLS_NEWCTX option for TLS encrypted LDAP connections

univention-python (13.0.2-6)
c2ad17b546cf | Bug #54408: version bump

univention-python (13.0.2-5)
de741f5c40b3 | Bug #54408: fix syntax error
dbe60ed10082 | Bug #54408: set OPT_X_TLS_NEWCTX option for TLS encrypted LDAP connections

univention-ad-connector.yaml
52383652efc2 | Bug #54408: yamls
dbe60ed10082 | Bug #54408: set OPT_X_TLS_NEWCTX option for TLS encrypted LDAP connections

univention-ad-connector (14.0.8-6)
dbe60ed10082 | Bug #54408: set OPT_X_TLS_NEWCTX option for TLS encrypted LDAP connections

ucs-test (10.0.6-98)
dbe60ed10082 | Bug #54408: set OPT_X_TLS_NEWCTX option for TLS encrypted LDAP connections
First Last Prev Next    This bug is not in your last search results.