Bug 264545

Summary: net-im/ejabberd tls ldap broken
Product: Ports & Packages Reporter: Marko Cupać <marko.cupac>
Component: Individual Port(s)Assignee: Ashish SHUKLA <ashish>
Status: Closed FIXED    
Severity: Affects Only Me Flags: bugzilla: maintainer-feedback? (ashish)
Priority: ---    
Version: Latest   
Hardware: amd64   
OS: Any   

Description Marko Cupać 2022-06-08 12:28:31 UTC 
Hi,

I have just upgraded one of my ejabberd jails to 13.1-RELEASE, also updating all the ports to main (built in my own poudriere):

erlang upgraded: 24.2.2,4 -> 24.3.4,4
ejabberd upgraded: 21.12 -> 22.05

After the upgrade I cannot connect to LDAP server (Active Directory) anymore.

Here's my AUTHENTICATION section which worked before the upgrade:

###   ====== AUTHENTICATION =======   ###
auth_method: [ldap]
ldap_servers:
  - "ldap.example.org"
ldap_encrypt: tls
ldap_port: 636
ldap_rootdn: "CN=SomeAccount,DC=example,DC=org"
ldap_password: "examplepass"
ldap_base: "DC=example,DC=org"
ldap_uids:
  - "sAMAccountName"
ldap_filter: "(memberOf=CN=jabber_users,DC=example,DC=org)"


Here's actual error from ejabberd.log:

2022-06-08 13:57:18.791918+02:00 [error] <0.31354.0>@eldap:connect_bind/1:1092 LDAP connection to ldap.example.org:636 failed: TLS client: In state hello at ssl_handshake.erl:892 generated CLIENT ALERT: Fatal - Handshake Failure
 {unknown_or_malformed_handshake,13}

Searching around the 'net I found the following discussion:

https://github.com/rabbitmq/rabbitmq-server/discussions/4726?sort=old

...which acknowledges issue with LDAP authentication for erlang 24.3.4, and apparent fix which should come with 24.3.5.

I guess there is nothing else to do except wait for new version of erlang, but hopefully other ejabberd users on FreeBSD will find this information useful.

Regards,
Comment 1 Ashish SHUKLA freebsd_committer freebsd_triage 2022-06-08 12:51:36 UTC 
(In reply to Marko Cupać from comment #0)

Thanks for posting about this. The fix[0] is also present in the few hours ago released version 24.3.4.1[1].

You can submit a PR for upgrade if you like. I don't have a way to test the problem here.

References:
[0] https://github.com/erlang/otp/commit/61d592f1dfcfca8561eda91a626e8c014669afa1
[1] https://github.com/erlang/otp/releases/tag/OTP-24.3.4.1
Comment 2 Marko Cupać 2022-06-08 14:25:10 UTC 
(In reply to Ashish SHUKLA from comment #1)

Hi,

thank you for quick reply and insightful information.

I submitted PR for upgrading to 24.3.4.1:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264547

Regards,
Comment 3 Marko Cupać 2022-06-10 10:02:26 UTC 
After upgrading erlang to 24.3.4.1, tls ldap auth in ejabberd works again.