[SERVER-43763] Figure out if global LDAP synchronization can be disabled when libldap is built with OpenSSL. Created: 02/Oct/19 Updated: 29/Oct/23 Resolved: 19/Nov/19 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 4.2.4, 4.3.2, 4.0.18 |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Spencer Jackson | Assignee: | Mark Benvenuto |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||
| Backport Requested: |
v4.2, v4.0
|
||||||||
| Sprint: | Security 2019-11-04, Security 2019-11-18, Security 2019-12-02 | ||||||||
| Participants: | |||||||||
| Case: | (copied to CRM) | ||||||||
| Description |
|
RHEL7.5 ships a libldap backed by OpenSSL instead of NSS. This may mitigate the concurrency issues which drove us to libldap_r. This suggests that libldap.so may be viable again. However, it may not advertise the thread safety flags which we rely upon to enable or disable global synchronization around libldap calls. We should investigate whether we can dynamically detect the underlying TLS implementation underneath libldap, and use that information to toggle synchronization. |
| Comments |
| Comment by Githook User [ 19/Mar/20 ] | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Author: {'email': 'mark.benvenuto@mongodb.com', 'name': 'Mark Benvenuto', 'username': 'markbenvenuto'}Message: (cherry picked from commit 96c2a4f4b3be80146610a787ba4331e32042bf72) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Githook User [ 04/Mar/20 ] | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Author: {'name': 'Mark Benvenuto', 'username': 'markbenvenuto', 'email': 'mark.benvenuto@mongodb.com'}Message: (cherry picked from commit 96c2a4f4b3be80146610a787ba4331e32042bf72) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Githook User [ 19/Nov/19 ] | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Author: {'username': 'markbenvenuto', 'email': 'mark.benvenuto@mongodb.com', 'name': 'Mark Benvenuto'}Message: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Mark Benvenuto [ 08/Nov/19 ] | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Spencer and I discussed this change. We decided to go with a different approach and allow users to opt in to getting thread safety instead via a setParameter on non-thread safe versions of OpenLDAP. The stability and performance of OpenLDAP is dependent on whether the _r.so version is used and what SSL provider is chosen (OpenSSL vs Mozilla NSS). Mozilla NSS is known to crash in the non-thread safe version. OpenSSL in the thread safe version is known have performance issues (since it overrides OpenSSL's lock callbacks). We are unsure of the stability of OpenSSL with OpenLDAP in the non-thread safe version. But we want to provide users with a flag to override our default behavior to experiment. Overview of which distros use which SSL provider wtih OpenLDAP:
MozNSS/OpenSSL Compat - is a special mode Redhat added in RHEL 7.5 and only exists in the RHEL 7.5+ line.
Matrix of TLS Providers:
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Mark Benvenuto [ 25/Oct/19 ] | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
As part of https://bugzilla.redhat.com/show_bug.cgi?id=1400570, OpenLDAP was switched from Mozilla NSS to OpenSSL+MozNSS compat. This change was consumed as part of RHEL 7.5. For RHEL 8.0, this change was removed and openldap switched completely to OpenSSL. Also, this change was not backported to RHEL 6.x.
This change was first made to Fedora 19 and as part of this change, they added new compile and runtime flags to support their MozNSS compat (i.e. --enable-moznss-compatibility). They also extended ldap_get_option with a new flag named LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY]. This flag only exists on RHEL 7.5 and later. It does not exist in RHEL 8.x.
We could change OpenLDAPConnection::isThreadSafe to return true if LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY exists at compile time and is enabled at runtime. This change would only have this affect on RHEL 7 and no other platform reducing the risk.
spencer.jackson, do you want me to special case RHEL 7 with this information? |