Majic Projects ~ [CLOSED] MAR-165 - Use custom Diffie–Hellman parameters for LDAP service in ldap

Majic Projects

Majic Ansible Roles

Projects
Wiki
- Quick links
- Wiki
- Project wikis
- Conntrackt
- Django Pydenticon
- Gimmecert
- Majic Ansible Roles
- Pydenticon
- Scripts
- Global content

Majic Ansible Roles / Closed Feature request MAR-165 Use custom Diffie–Hellman parameters for LDAP service in ldap_server role

Votes

There are no more issues in that direction.

This issue has been closed with status "Closed" and resolution "RESOLVED".

- No additional actions available

Issue basics

Type of issue

Feature request Unknown issue type
Issue label

No label set
Category

Not determined
Targetted for

6.0.0 Not determined
Status

Closed

Status not determined
Progress
Priority

Not determined

Affected by this issue (0)

There are no items

People involved

Posted by
branko (@branko)

Branko Majic
@branko

Last seen online at Sep 29, 2024 - 18:46

Show user details
Owned by

Not owned by anyone
Assigned to
branko (@branko)

Branko Majic
@branko

Last seen online at Sep 29, 2024 - 18:46

Show user details
Not assigned to anyone
Subscribers

0 subscriber(s)

Click here to show the list of subscribers

Times and dates

Posted at

May 19, 2020
Last updated

Jan 19, 2021
Estimated time

2 hours Not estimated
Time spent

4 hours No time spent

Click here to see time logged against this issue

Issue details

Resolution

RESOLVED Not determined
Reproducability

Not determined
Severity

Not determined

Attachments (0)

There is nothing attached to this issue

Child issues (0)

This issue does not have any child issues

Duplicate issues (0)

This issue does not have any duplicates

Show / hide more details »

Description

This is continuation of the MAR-153 feature request, just targeting specifically the OpenLDAP server in the ldap_server role.

The original feature request was not implemented for the ldap_server role because of a bug within the OpenLDAP server implementation that essentially refused to use DHE-based ciphers at all.

From the comment in linked issue:

----%---- It looks like DHE ciphers cannot be used at all on OpenLDAP server 2.4.44 (shipped in Debian 9 Stretch). After trying out to get slapd to accept DHE ciphers, I ended up running into the following bug report on Ubuntu (not Debian, but seems to be the most relevant post):

https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1656979

Looking at the OpenLDAP changes page, it looks like the 2.4.45 release received some fixes around the TLS and handling of DH parameters:

Fixed libldap handling of Diffie-Hellman parameters (ITS#7506)

I haven't had a chance to test it out with newer OpenLDAP release (say, from Debian 10 Buster), so it is something to keep in mind in the future. ----%----

This feature request might be implementable once support for Debian 10 Buster is added, but still might not be possible to provide in Debian 9 Stretch.

The following should be done:

Update the ldap_server role
- Generate DH parameter for the service.
- Configure the LDAP service to use the custom DH parameter.
Implement the necessary tests.
Update role reference documentation.
Update release notes.

Todos (0 / 0)

Options

There are no comments

Welcome to The Bug Genie

Log in with your username and password