Majic Projects
Majic Ansible Roles
Go to the previous open issue
Go to the previous issue (open or closed)
star_faded.png
Please log in to bookmark issues
icon_project.png Majic Ansible Roles / Closed Feature request MAR-165 Use custom Diffie–Hellman parameters for LDAP service in ldap_server role
action_vote_minus_faded.png
0
Votes
action_vote_plus_faded.png
Go to the next issue (open or closed)
Go to the next open issue
This issue has been closed with status "Closed" and resolution "RESOLVED".
Issue basics
  • Type of issue
    Feature request
  • Category
    Not determined
  • Targetted for
    6.0.0
  • Status
    Closed
  • Progress
  • Priority
    Not determined
User pain
  • Type of bug
    Not triaged
  • Likelihood
    Not triaged
  • Effect
    Not triaged
Affected by this issue (0)
There are no items
People involved
Times and dates
  • Posted at
  • Last updated
  • Estimated time
    2 hours
  • Time spent
    4 hours
    Click here to see time logged against this issue
Issue details
  • Resolution
    RESOLVED
Attachments (0)
There is nothing attached to this issue
Duplicate issues (0)
This issue does not have any duplicates
Description

This is continuation of the MAR-153 feature request, just targeting specifically the OpenLDAP server in the ldap_server role.

The original feature request was not implemented for the ldap_server role because of a bug within the OpenLDAP server implementation that essentially refused to use DHE-based ciphers at all.

From the comment in linked issue:

----%---- It looks like DHE ciphers cannot be used at all on OpenLDAP server 2.4.44 (shipped in Debian 9 Stretch). After trying out to get slapd to accept DHE ciphers, I ended up running into the following bug report on Ubuntu (not Debian, but seems to be the most relevant post):

Looking at the OpenLDAP changes page, it looks like the 2.4.45 release received some fixes around the TLS and handling of DH parameters:

  • Fixed libldap handling of Diffie-Hellman parameters (ITS#7506)

I haven't had a chance to test it out with newer OpenLDAP release (say, from Debian 10 Buster), so it is something to keep in mind in the future. ----%----

This feature request might be implementable once support for Debian 10 Buster is added, but still might not be possible to provide in Debian 9 Stretch.

The following should be done:

  • Update the ldap_server role
    • Generate DH parameter for the service.
    • Configure the LDAP service to use the custom DH parameter.
  • Implement the necessary tests.
  • Update role reference documentation.
  • Update release notes.
Todos (0 / 0)
There are no comments