[SERVER-56617] Reconsider advice to switch to the libldap_r Created: 04/May/21 Updated: 29/Oct/23 Resolved: 03/Sep/21 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | 4.4.5, 4.2.14 |
| Fix Version/s: | 5.1.0-rc0 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Andrey Brindeyev | Assignee: | Sergey Galtsev (Inactive) |
| Resolution: | Fixed | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||||||||||
| Sprint: | Security 2021-08-09, Security 2021-08-23, Security 2021-09-06 | ||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||
| Case: | (copied to CRM) | ||||||||||||||||||||||||
| Linked BF Score: | 68 | ||||||||||||||||||||||||
| Description |
|
Majority of current installations in the field are still using RHEL 7/CentOS 7. It seems that most customers upgrade their operating system. Since NSS is no longer in use, we may need to adjust the warning printed because it may be harmful: if the server uses LDAPS connections, then libldap_r library may remove mitigations for This is the current log line:
The server may advice to disable the NSS shim layer (present only in RHEL7/CentOS 7) to achieve better stability instead of the switch to the libldap_r: TLS_MOZNSS_COMPATIBILITY off setting in the ldap.conf |
| Comments |
| Comment by Githook User [ 21/Sep/21 ] |
|
Author: {'name': 'Benety Goh', 'email': 'benety@mongodb.com', 'username': 'benety'}Message: |
| Comment by Githook User [ 21/Sep/21 ] |
|
Author: {'name': 'sergey.galtsev', 'email': 'sergey.galtsev@mongodb.com', 'username': 'brushless-glitch'}Message: |
| Comment by Githook User [ 05/Sep/21 ] |
|
Author: {'name': 'Benety Goh', 'email': 'benety@mongodb.com', 'username': 'benety'}Message: |
| Comment by Githook User [ 03/Sep/21 ] |
|
Author: {'name': 'sergey.galtsev', 'email': 'sergey.galtsev@mongodb.com', 'username': 'brushless-glitch'}Message: |
| Comment by Sergey Galtsev (Inactive) [ 03/Sep/21 ] |
|
| Comment by Githook User [ 30/Aug/21 ] |
|
Author: {'name': 'sergey.galtsev', 'email': 'sergey.galtsev@mongodb.com', 'username': 'brushless-glitch'}Message: |
| Comment by Sergey Galtsev (Inactive) [ 25/Aug/21 ] |
| Comment by Githook User [ 25/Aug/21 ] |
|
Author: {'name': 'sergey.galtsev', 'email': 'sergey.galtsev@mongodb.com', 'username': 'brushless-glitch'}Message: |
| Comment by Githook User [ 25/Aug/21 ] |
|
Author: {'name': 'sergey.galtsev', 'email': 'sergey.galtsev@mongodb.com', 'username': 'brushless-glitch'}Message: |
| Comment by Githook User [ 25/Aug/21 ] |
|
Author: {'name': 'sergey.galtsev', 'email': 'sergey.galtsev@mongodb.com', 'username': 'brushless-glitch'}Message: |
| Comment by Githook User [ 25/Aug/21 ] |
|
Author: {'name': 'sergey.galtsev', 'email': 'sergey.galtsev@mongodb.com', 'username': 'brushless-glitch'}Message: |
| Comment by Sergey Galtsev (Inactive) [ 18/Aug/21 ] |
|
Clarification, per conversation with mark.benvenuto:
|
| Comment by Mark Benvenuto [ 02/Aug/21 ] |
|
If a customer is using MozNSS;
If a customer is using OpenSSL:
|