Skip to Content.
Sympa Menu

en - Re: [sympa-users] Strange things on LDAP quaries...

Subject: The mailing list for listmasters using Sympa

List archive

Re: [sympa-users] Strange things on LDAP quaries...

Chronological Thread  
    < Chronological >       < Thread >
  • From: IKEDA Soji <address@concealed>
  • To: address@concealed
  • Subject: Re: [sympa-users] Strange things on LDAP quaries...
  • Date: Wed, 31 Aug 2016 15:02:25 +0900
Hi Marco and all,

I compiled Marco's changes to a patch file.
http://sympa-ja.org/download/sympa-6.1.17-tlsv1.patch

On Debian: this patch may be applicable to wheezy (Sympa 6.1.11) and
jessie (6.1.23). As Sympa 6.1.25 already has been fixed, stretch and
sid need not fixing.

Regards,

-- Soji

On Tue, 30 Aug 2016 15:22:43 +0200
Marco Gaiarin <address@concealed> wrote:

> Mandi! "Steve Shipway" (via sympa-users Mailing List)
> In chel di` si favelave...
>
> > From your logs, it seems that the LDAP library is rejecting the TLS mode
> > you are specifying ('tls'). The LDAP manual tells me that it should be
> > 'tlsv1' or 'tlsv1_2'.
> > However, it also appears that Sympa is disallowing 'tlsv1' as an option
> > to the 'ssl_version' directive, and only wants 'tls'.
>
> Exactly.
>
>
> > Checking the code for Sympa 6.2.16, it definitely supports 'tlsv1'. I
> > think you probably have an older 6.1.x or 6.0.x version of Sympa, which
> > doesn't correctly handle the tls option any more? If this is the case,
> > then you have 2 options -- either upgrade Sympa, or patch the code (in
> > lib/Conf.pm under 6.2 but probably elsewhere in 6.1) to allow 'tlsv1' as
> > an option to the ssl_version directive.
>
> As stated in my first message, debian wheezy, eg sympa version
> 6.1.11~dfsg-5+deb7u2.
>
> I've looked at /usr/share/sympa/lib/Conf.pm, and:
>
> my %valid_keywords = ('ldap' => {'regexp' => '.*',
> 'negative_regexp' => '.*',
> 'host' =>
> '[\w\.\-]+(:\d+)?(\s*,\s*[\w\.\-]+(:\d+)?)*',
> 'timeout' => '\d+',
> 'suffix' => '.+',
> 'bind_dn' => '.+',
> 'bind_password' => '.+',
> 'get_dn_by_uid_filter' => '.+',
> 'get_dn_by_email_filter' => '.+',
> 'email_attribute' => '\w+',
> 'alternative_email_attribute' =>
> '(\w+)(,\w+)*',
> 'scope' => 'base|one|sub',
> 'authentication_info_url' =>
> 'http(s)?:/.*',
> 'use_ssl' => '1',
> 'ssl_version' =>
> 'sslv2/3|sslv2|sslv3|tlsv1',
> 'ssl_ciphers' => '[\w:]+' },
>
> seems OK. Grepping around for other 'tls' entries i've found and corrected:
>
> root@armitage:~# diff -ud /usr/share/sympa/lib/List.pm.orig
> /usr/share/sympa/lib/List.pm
> --- /usr/share/sympa/lib/List.pm.orig 2016-08-30 15:04:12.184832071 +0200
> +++ /usr/share/sympa/lib/List.pm 2016-08-30 15:04:25.092859033 +0200
> @@ -827,7 +827,7 @@
>
> 'gettext_id' => 'use SSL (LDAPS)',
>
> 'order' => 2.5,
> },
> - 'ssl_version'
> => {'format' => ['sslv2','sslv3','tls'],
> + 'ssl_version'
> => {'format' => ['sslv2','sslv3','tlsv1'],
>
> 'default' => 'sslv3',
>
> 'gettext_id' => 'SSL version',
>
> 'order' => 2.5,
>
> But still web interface report 'tls'. I've restarted also apache, and now
> web
> interface correctly report 'tlsv1'.
>
>
> And user sync now works again. Thanks!!!
>
> --
> Non sara` il canto delle sirene che ci innamorera`
> noi lo conosciamo bene, l'abbiamo sentito gia` (F. De Gregori)
>
>


--
株式会社 コンバージョン セキュリティ&OSSソリューション部 池田荘児
〒140-0014 東京都品川区大井1-49-15 アクセス大井町ビル4F
e-mail address@concealed TEL 03-6429-2880
http://www.conversion.co.jp/

Archive powered by MHonArc 2.6.19+.

Top of Page