|
|
| (6 intermediate revisions by the same user not shown) |
| Line 1: |
Line 1: |
| = Switch OpenLDAP from MozNSS to OpenSSL =
| | [[Changes/OpenLDAPwithOpenSSL]] |
| == Overview ==
| |
| TODO
| |
| | |
| == Reasons ==
| |
| TODO
| |
| | |
| == Dependents ==
| |
| === 389DS ===
| |
| Upstream patch that mirrors certificates to PEM files so that OpenSSL-built OpenLDAP library may be used, is supported since version <code>389-ds-base-1.3.5</code>.
| |
| | |
| See [http://www.port389.org/docs/389ds/design/allow-usage-of-openldap-lib-w-openssl.html the design document].
| |
| | |
| === FreeIPA ===
| |
| BuildRequires: openldap-devel
| |
| Requires: openldap-clients
| |
| | |
| === SSSD ===
| |
| BuildRequires: openldap-devel
| |
| | |
| === dhcpd ===
| |
| BuildRequires: openldap-devel
| |
| | |
| === python-ldap ===
| |
| BuildRequires: openldap-devel
| |
| Uses OpenSSL for TLS, so maybe not a problem?
| |
| | |
| === others ===
| |
| TODO
| |
| | |
| == Schedule ==
| |
| === Fedora 26 ===
| |
| Land the OpenSSL-built OpenLDAP. This should include the [[#Interception code]] with <code>X_MOZNSS_COMPATIBILITY</code> set on by default.
| |
| | |
| === Fedora 27 ===
| |
| Turn the [[#Interception code]] off by default, still being able to enable it with the <code>X_MOZNSS_COMPATIBILITY</code>.
| |
| | |
| === Fedora 28 ===
| |
| Drop the [[#Interception code]] patching entirely. All packages should be already fully functional with OpenSSL-built OpenLDAP not supporting MozNSS-specific functionality.
| |
| | |
| == Implementation ==
| |
| The code handling possible MozNSS-specific configuration ([[#Interception code]]) should handle all possible use-cases (libldap, openldap-clients and openldap-servers packages). Briefly, the code should make usage of both, OpenSSL-specific and MozNSS-specific, configurations seamless with no more than setting the <code>X_MOZNSS_COMPATIBILITY</code> option on.
| |
| | |
| === Build ===
| |
| Will build with <code>./configure --with-tls=openssl</code>, dropping <code>--with-tls=moznss</code>. Also, MozNSS libs will be needed to be included so that the [[#Interception code]] works.
| |
| | |
| === Interception code ===
| |
| ==== Enabling ====
| |
| A <code>yes</code>/<code>no</code> options <code>LDAP_OPT_X_MOZNSS_COMPATIBILITY</code> (libldap), <code>X_MOZNSS_COMPATIBILIY</code> (ldap.conf, slapd.conf), and <code>olcMozNSSCompatibility</code> (slapd-config) may be used to explicitly set whether the [[#Interception code]] will be used.
| |
| | |
| ==== Implementation ====
| |
| After parsing user options change these accordingly:
| |
| * keep <code>CACERT</code> as set
| |
| * if <code>CACERTDIR</code> is NSSDB then
| |
| ** if NSSDB is pin-protected then
| |
| *** unlock the DB using <code>KEY</code>
| |
| ** extract all CA certs to <code>ca.pem</code>
| |
| ** extract all CA certs from <code>(DEFAULT_)MOZNSS_DIR</code> environment variable to <code>(default_)moznss_dir.pem</code>
| |
| ** extract user cert and key to <code>user.pem</code>
| |
| ** get the randomly pre-generated DH params from NSSDB and put it into <code>DHParamFile</code>
| |
| ** update options so that they work for OpenSSL
| |
| * go on
| |
| | |
| ==== Considerations ====
| |
| ===== PEM files location =====
| |
| We should keep the NSSDB in place, while creating a directory with the same owner and permissions for storing the extracted PEM files. If the directory cannot be created, we should temporarily put these to a tempdir (in <code>/tmp</code>).
| |
| | |
| ===== CRLCheck and CRLFile options =====
| |
| NSS uses <code>CRLFILE</code> option only, whereas OpenSSL uses <code>CRLCHECK</code> bool.
| |
| | |
| ===== NSS still used =====
| |
| Even though temporarily, NSS library is still used possibly causing some (although few) troubles.
| |
| | |
| == Testing ==
| |
| === Interception code functionality ===
| |
| ==== Basic self-signed ca cert and user cert/key ====
| |
| TODO
| |
| | |
| ==== With self-signed cert chain ====
| |
| TODO
| |
| | |
| === Regressions ===
| |
| TODO
| |
| | |
| === Dependent packages' tests ===
| |
| TODO
| |
| | |
| == Pitfalls ==
| |
| === Downgrade ===
| |
| TODO
| |
| | |
| === Mixed configuration options have undefined behaviour ===
| |
| If both, OpenSSL-like and MozNSS-like, configurations are used for various configuration parameters at the same time then the behaviour SHOULD not be destructive but it is undefined.
| |
