From Fedora Project Wiki

(Replaced content with "Changes/OpenLDAPwithOpenSSL")
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
= Switch OpenLDAP from MozNSS to OpenSSL =
[[Changes/OpenLDAPwithOpenSSL]]
== Overview ==
TODO
 
== Reasons ==
TODO
 
== Dependents ==
=== 389DS ===
Upstream patch that mirrors certificates to PEM files so that OpenSSL-built OpenLDAP library may be used, is supported since version <code>389-ds-base-1.3.5</code>.
 
See [http://www.port389.org/docs/389ds/design/allow-usage-of-openldap-lib-w-openssl.html the design document].
 
=== FreeIPA ===
<pre>
BuildRequires: openldap-devel
Requires: openldap-clients
</pre>
 
=== SSSD ===
<pre>
BuildRequires: openldap-devel
</pre>
 
=== dhcpd ===
<pre>
BuildRequires: openldap-devel
</pre>
 
=== python-ldap ===
<pre>
BuildRequires: openldap-devel
</pre>
Uses OpenSSL for TLS, so maybe not a problem?
 
=== others ===
TODO
 
== Schedule ==
=== Fedora 26 ===
Land the OpenSSL-built OpenLDAP. This should include the [[#Interception code]] with <code>X_MOZNSS_COMPATIBILITY</code> set on by default.
 
=== Fedora 27 ===
Turn the [[#Interception code]] off by default, still being able to enable it with the <code>X_MOZNSS_COMPATIBILITY</code>.
 
=== Fedora 28 ===
Drop the [[#Interception code]] patching entirely. All packages should be already fully functional with OpenSSL-built OpenLDAP not supporting MozNSS-specific functionality.
 
== Implementation ==
The code handling possible MozNSS-specific configuration ([[#Interception code]]) should handle all possible use-cases (libldap, openldap-clients and openldap-servers packages). Briefly, the code should make usage of both, OpenSSL-specific and MozNSS-specific, configurations seamless with no more than setting the <code>X_MOZNSS_COMPATIBILITY</code> option on.
 
=== Build ===
Will build with <code>./configure --with-tls=openssl</code>, dropping <code>--with-tls=moznss</code>. Also, MozNSS libs will be needed to be included so that the [[#Interception code]] works.
 
=== Interception code ===
==== Enabling ====
A <code>yes</code>/<code>no</code> options <code>LDAP_OPT_X_MOZNSS_COMPATIBILITY</code> (libldap), <code>X_MOZNSS_COMPATIBILIY</code> (ldap.conf, slapd.conf), and <code>olcMozNSSCompatibility</code> (slapd-config) may be used to explicitly set whether the [[#Interception code]] will be used.
 
==== Implementation ====
After parsing user options change these accordingly:
* keep <code>CACERT</code> as set
* if <code>CACERTDIR</code> is NSSDB then
** if NSSDB is pin-protected then
*** unlock the DB using <code>KEY</code>
** extract all CA certs to <code>ca.pem</code>
** extract all CA certs from <code>(DEFAULT_)MOZNSS_DIR</code> environment variable to <code>(default_)moznss_dir.pem</code>
** extract user cert and key to <code>user.pem</code>
** get the randomly pre-generated DH params from NSSDB and put it into <code>DHParamFile</code>
** update options so that they work for OpenSSL
* go on
 
==== Considerations ====
===== PEM files location =====
We should keep the NSSDB in place, while creating a directory with the same owner and permissions for storing the extracted PEM files. If the directory cannot be created, we should temporarily put these to a tempdir (in <code>/tmp</code>).
 
===== CRLCheck and CRLFile options =====
NSS uses <code>CRLFILE</code> option only, whereas OpenSSL uses <code>CRLCHECK</code> bool.
 
===== NSS still used =====
Even though temporarily, NSS library is still used possibly causing some (although few) troubles.
 
== Testing ==
=== Areas ===
==== Interception code functionality ====
===== Basic self-signed ca cert and user cert/key =====
TODO
 
===== With self-signed cert chain =====
TODO
 
==== Regressions ====
TODO
 
==== Dependent packages' tests ====
TODO
 
=== Testing Day(s) ===
TODO
 
== Pitfalls ==
=== Downgrade ===
Will not be supported automatically. We should provide steps how to revert to NSSDB having OpenSSL-like configuration in place.
 
=== Mixed configuration options have undefined behaviour ===
If both, OpenSSL-like and MozNSS-like, configurations are used for various configuration parameters at the same time then the behaviour SHOULD not be destructive but it is undefined.

Latest revision as of 15:50, 4 November 2016