From Fedora Project Wiki

mNo edit summary
(Replaced content with "Changes/OpenLDAPwithOpenSSL")
 
Line 1: Line 1:
= Switch OpenLDAP from NSS to OpenSSL - DRAFT=
[[Changes/OpenLDAPwithOpenSSL]]
== Overview ==
Currently, OpenLDAP in Fedora is compiled with NSS for cypto. This document describes a way to let the OpenLDAP be compiled with OpenSSL, instead.
 
== Reasons ==
OpenLDAP in Fedora is has been compiled with NSS for crypto for several years now. Support layer for NSS was added back in 2008 but the OpenLDAP upstream ceased to keep it up to date since 2014. Reasons for keeping OpenLDAP compiled with NSS was to make it work with some other packages (esp. 389DS) seamlessly. Fixing and keeping downstream patches has become a burden, thus it was decided to switch to OpenSSL, instead.
 
== Dependents ==
=== 389DS ===
Upstream patch that mirrors certificates to PEM files so that OpenSSL-built OpenLDAP library may be used, is supported since version <code>389-ds-base-1.3.5</code>.
 
See [http://www.port389.org/docs/389ds/design/allow-usage-of-openldap-lib-w-openssl.html the design document].
 
=== FreeIPA ===
<pre>
BuildRequires: openldap-devel
Requires: openldap-clients
</pre>
 
=== SSSD ===
<pre>
BuildRequires: openldap-devel
</pre>
 
=== dhcpd ===
<pre>
BuildRequires: openldap-devel
</pre>
 
=== python-ldap ===
<pre>
BuildRequires: openldap-devel
</pre>
Uses OpenSSL for TLS, so maybe not a problem?
 
=== others ===
TODO
 
== Schedule ==
=== Prerequisities ===
* Finish this design.
* Discuss with closely related teams (389DS - done, SSSD, FreeIPA).
* Reach out to the Fedora community with a request for comments, especialy those that Require or BuildRequire OpenLDAP.
 
=== Test Day ===
TODO
 
=== Fedora 26 ===
* Land the OpenSSL-built OpenLDAP. This should include the [[#Interception code]] with <code>X_MOZNSS_COMPATIBILITY</code> set on by default.
* Include a deprecation warning.
 
=== Fedora 27 ===
* Turn the [[#Interception code]] off by default, still being able to enable it with the <code>X_MOZNSS_COMPATIBILITY</code>.
 
=== Fedora 28 ===
* Drop the [[#Interception code]] patching entirely. All packages should be already fully functional with OpenSSL-built OpenLDAP not supporting NSS-specific functionality.
* Drop the deprecation warning.
 
== Implementation ==
The code handling possible NSS-specific configuration ([[#Interception code]]) should handle all possible use-cases (libldap, openldap-clients and openldap-servers packages). Briefly, the code should make usage of both, OpenSSL-specific and NSS-specific, configurations seamless with no more than setting the <code>X_MOZNSS_COMPATIBILITY</code> option on.
 
=== Build ===
Will build with <code>./configure --with-tls=openssl</code>, dropping <code>--with-tls=moznss</code>. Also, NSS libs will be needed to be included so that the [[#Interception code]] works.
 
=== Interception code ===
==== Enabling ====
A <code>yes</code>/<code>no</code> options <code>LDAP_OPT_X_MOZNSS_COMPATIBILITY</code> (libldap), <code>X_MOZNSS_COMPATIBILIY</code> (ldap.conf, slapd.conf), and <code>olcMozNSSCompatibility</code> (slapd-config) may be used to explicitly set whether the [[#Interception code]] will be used.
 
==== Implementation ====
After parsing user options change these accordingly:
* keep <code>CACERT</code> as set
* if <code>CACERTDIR</code> is NSSDB then
** if NSSDB is pin-protected then
*** unlock the DB using <code>KEY</code>
** extract all CA certs to <code>ca.pem</code>
** extract all CA certs from <code>(DEFAULT_)MOZNSS_DIR</code> environment variable to <code>(default_)moznss_dir.pem</code>
** extract user cert and key to <code>user.pem</code>
** get the randomly pre-generated DH params from NSSDB and put it into <code>DHParamFile</code>
** update options so that they work for OpenSSL
* go on
 
==== Considerations ====
===== PEM files location =====
We should keep the NSSDB in place, while creating a directory with the same owner and permissions for storing the extracted PEM files. If the directory cannot be created, we should temporarily put these to a tempdir (in <code>/tmp</code>).
 
===== CRLCheck and CRLFile options =====
NSS uses <code>CRLFILE</code> option only, whereas OpenSSL uses <code>CRLCHECK</code> bool.
 
===== NSS still used =====
Even though temporarily, NSS library is still used possibly causing some (although few) troubles.
 
== Testing ==
=== Areas ===
==== Interception code functionality ====
===== Basic self-signed ca cert and user cert/key =====
TODO
 
===== With self-signed cert chain =====
TODO
 
==== Regressions ====
TODO
 
==== Dependent packages' tests ====
TODO
 
=== Testing Day(s) ===
TODO
 
== Pitfalls ==
=== Downgrade ===
Will not be supported automatically. We should provide steps how to revert to NSSDB having OpenSSL-like configuration in place.
 
=== Mixed configuration options have undefined behaviour ===
If both, OpenSSL-like and NSS-like, configurations are used for various configuration parameters at the same time then the behaviour SHOULD not be destructive but it is undefined.

Latest revision as of 15:50, 4 November 2016