Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release/9.0-staging] Add support for LDAPTLS_CACERTDIR \ TrustedCertificateDirectory #112531

Open
wants to merge 2 commits into
base: release/9.0-staging
Choose a base branch
from
Open

[release/9.0-staging] Add support for LDAPTLS_CACERTDIR \ TrustedCertificateDirectory #112531

wants to merge 2 commits into from

Conversation

steveharter
Copy link
Member

@steveharter steveharter commented Feb 13, 2025
edited
Loading

Backport of #111877 to release/9.0-staging
Fixes #104260 for v9.0.x
Backport for v8: #112530

/cc @steveharter @JasonDebug

Customer Impact

  • Customer reported
  • Found internally

Adds two new members to System.DirectoryServices.Protocols.LdapSessionOptions to forward to LDAP APIs on Linux\OSX that help with server certificate validation. On Windows, server certificate validation is supported by setting a callback on LdapSessionOptions.VerifyServerCertificates(), but that is not supported on Linux\OSX.

Regression

  • Yes
  • No

Testing

Several months ago, we provided a package with the proposed fix which was validated by the support engineer and customer requesting this feature. Once it was added to v10, the validation was done again. Also, local validation on Linux Ubuntu was done and verification tests were added.

Automated tests here are not supported with current infrastructure as it requires LDAP server support. Currently this must be manually tested.

Risk

Low - although we normally don't add new APIs in a servicing release, it is safer here since this assembly does not ship inbox with .NET so risk is low for versioning issues.

@steveharter steveharter self-assigned this Feb 13, 2025
@Copilot Copilot bot review requested due to automatic review settings February 13, 2025 18:18
@dotnet-issue-labeler dotnet-issue-labeler
Copy link

Note regarding the new-api-needs-documentation label:

This serves as a reminder for when your PR is modifying a ref *.cs file and adding/modifying public APIs, please make sure the API implementation in the src *.cs file is documented with triple slash comments, so the PR reviewers can sign off that change.

1 similar comment
@dotnet-issue-labeler dotnet-issue-labeler
Copy link

Note regarding the new-api-needs-documentation label:

This serves as a reminder for when your PR is modifying a ref *.cs file and adding/modifying public APIs, please make sure the API implementation in the src *.cs file is documented with triple slash comments, so the PR reviewers can sign off that change.

@steveharter steveharter mentioned this pull request Feb 13, 2025
Open
4 tasks
@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

Tagging subscribers to this area: @dotnet/area-system-directoryservices, @jay98014
See info in area-owners.md if you want to be subscribed.

@steveharter steveharter added the Servicing-consider Issue for next servicing release review label Feb 13, 2025
@steveharter steveharter requested a review from ericstj February 13, 2025 18:20
Copilot
Copilot AI reviewed Feb 13, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 5 out of 10 changed files in this pull request and generated 1 comment.

Files not reviewed (5)
  • src/libraries/Common/tests/System/DirectoryServices/LDAP.Configuration.xml: Language not supported
  • src/libraries/System.DirectoryServices.Protocols/src/Resources/Strings.resx: Language not supported
  • src/libraries/System.DirectoryServices.Protocols/src/System/DirectoryServices/Protocols/ldap/LdapConnection.cs: Evaluated as low risk
  • src/libraries/Common/src/Interop/Interop.Ldap.cs: Evaluated as low risk
  • src/libraries/System.DirectoryServices.Protocols/ref/System.DirectoryServices.Protocols.cs: Evaluated as low risk
Comments suppressed due to low confidence (4)

src/libraries/System.DirectoryServices.Protocols/tests/DirectoryServicesProtocolsTests.cs:709

  • Ensure that the new test cases properly cover the new functionality for 'StartNewTlsSessionContext' and 'TrustedCertificatesDirectory'.
[ConditionalFact(nameof(UseTls))]

src/libraries/System.DirectoryServices.Protocols/tests/DirectoryServicesProtocolsTests.cs:732

  • Ensure that the new test cases properly cover the new functionality for 'StartNewTlsSessionContext' and 'TrustedCertificatesDirectory'.
[ConditionalFact(nameof(UseTls))]

src/libraries/System.DirectoryServices.Protocols/tests/DirectoryServicesProtocolsTests.cs:744

  • Ensure that the new test cases properly cover the new functionality for 'TrustedCertificatesDirectory'.
[ConditionalFact(nameof(LdapConfigurationExists))]

src/libraries/System.DirectoryServices.Protocols/tests/DirectoryServicesProtocolsTests.cs:754

  • Ensure that the new test cases properly cover the new functionality for 'StartNewTlsSessionContext'.
[ConditionalFact(nameof(LdapConfigurationExists))]

...ryServices.Protocols/src/System/DirectoryServices/Protocols/ldap/LdapSessionOptions.Linux.cs
/// which can be done by using <code>openssl rehash .</code> or <code>c_rehash .</code> in the directory
/// containing the certificate files.
/// </remarks>
/// <exception cref="DirectoryNotFoundException">The directory not exist.</exception>
Copy link
Preview

Copilot AI Feb 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor grammar issue: 'The directory not exist.' should be 'The directory does not exist.'

Suggested change
/// <exception cref="DirectoryNotFoundException">The directory not exist.</exception>
/// <exception cref="DirectoryNotFoundException">The directory does not exist.</exception>

Copilot is powered by AI, so mistakes are possible. Review output carefully before use.

Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
This was referenced Feb 13, 2025
Open
Open
@rbhanda rbhanda added this to the 9.0.4 milestone Feb 18, 2025
@rbhanda rbhanda added Servicing-approved Approved for servicing release and removed Servicing-consider Issue for next servicing release review labels Feb 18, 2025
ericstj
ericstj reviewed Feb 18, 2025
View reviewed changes
src/libraries/System.DirectoryServices.Protocols/src/CompatibilitySuppressions.xml
@@ -0,0 +1,67 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- https://learn.microsoft.com/dotnet/fundamentals/package-validation/diagnostic-ids -->
<Suppressions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is OK for now - but if we wanted to make this more common we could let projects opt out of this setting -

runtime/eng/packaging.targets

Line 41 in b61c07c

<EnableStrictModeForBaselineValidation>true</EnableStrictModeForBaselineValidation>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ericstj ericstj ericstj left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@steveharter steveharter

Labels
area-System.DirectoryServices new-api-needs-documentation Servicing-approved Approved for servicing release
Projects
None yet
Milestone
9.0.4
Development

Successfully merging this pull request may close these issues.
3 participants
@steveharter @ericstj @rbhanda