[rt-users] Self user creation

Anthony Lincoln ahlincoln at lbl.gov
Fri Mar 24 14:21:46 EST 2006


Jim Meyer wrote:
> Hello!
> 
> On Wed, 2006-03-22 at 08:19 -0800, Anthony Lincoln wrote:
> 
>>I might be.  It would be great to synch back up with the branch when 3.6 
>>comes out, without having to integrate all my custom code again.  The 
>>new functionality you described, plus TLS sessions that required 
>>specific server certs (to prevent man-in-middle exploits), should work 
>>in my environment.  A logging option that sends back actual LDAP error 
>>strings (ldap_error_text) would be nice to have for troubleshooting. 
>>I'd be happy to contribute code review/diffs to help make this happen.
> 
> 
> I'm not sure about requiring specific certs; we don't do/need TLS here,
> so I've largely just polished the previous implementations of that. I'd
> love a more in depth explanation ... or a code contrib. =]

Basically, if you invoke start_tls with no args, you're encrypting a 
session between yourself and another host without any verification, 
which opens the door to host spoofing and man-in-the-middle attacks. 
The following code snippet checks that the certificate you receive from 
the destination host is one that you trust.  That's where the certfile 
from your trusted CA comes in.

$ diff Ldap_Overlay.pm Ldap_Overlay.pm.new
77a78
 >     $config{'AuthCAFile'}     = $RT::LdapCAFile     || 
$RT::LdapAuthCAFile;
92a94
 >     $config{'InfoCAFile'}     = $RT::LdapCAFile     || 
$RT::LdapInfoCAFile;
126a129
 >     my $ldap_cafile     = $ldap_config{'AuthCAFile'};
138c141,144
<         $ldap->start_tls;
---
 >         $ldap->start_tls(
 >                        verify => 'require',
 >                        cafile => $ldap_cafile
 >                        );
434a441
 >     my $ldap_cafile     = $ldap_config{'InfoCAFile'};
459c466,469
<         $ldap->start_tls;
---
 >         $ldap->start_tls(
 >                        verify => 'require',
 >                        cafile => $ldap_cafile
 >                        );


> The implementation does, however, uniformly provide ldap_error_name
> information; the code looks like this:
> 
>     $RT::Logger->info((caller(0))[3], "AUTH FAILED", $self->Name, 
>                       "(can't bind:", ldap_error_name($msg->code), 
>                       $msg->code, ")");

I was talking about ldap_error_text, which references the longer and 
more intuitive error string associated with a given LDAP errcode.  But 
this is fine.  Great to have this component actively managed by someone!

Let me know if you have any questions/comments on any of the above...

Thanks,

Tony



More information about the rt-users mailing list