ldap over ssl fails
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| openldap (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
Binary package hint: ldap-utils
After converting Debian/etch systems to Ubuntu Hardy, ldap-serch will no longer work unless I disable SSL or disable checking of the server certificate:
--- cut ---
root@oncilla:~# cat /etc/ldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=microcomaust
URI ldaps:/
#TLS_CACERT /etc/ssl/
TLS_CACERT /etc/ssl/
TLS_REQCERT demand
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
--- cut ---
root@oncilla:~# ldapsearch -x
ldap_sasl_
However the server is fine, it works with ldapsearch from Debian/etch, and openssl s_client on Ubuntu Hardy:
openssl s_client -verify 1 -CApath /etc/ssl/certs -connect scrooge.
openssl s_client -verify 1 -CAfile /etc/ssl/
(both these work)
I also saw #217159, but this appears to be a client side issue, not a server issue.
Brian May
| Brian May (brian-microcomaustralia) wrote | #1 |
| Mathias Gug (mathiaz) wrote | #2 |
| Changed in openldap: | |
| status: | New → Invalid |
This bug report may be invalid, it seems ldapsearch is fussy and requires all certificates up the chain be verifiable. So the following commands fixed the problem:
cd /etc/ssl/certs
cat root.pem class3.pem > /etc/ssl/cacert.pem
vim /etc/ldap/ldap.conf to use the value for TLS_CACERT
I believe it is the following: The key is signed by cacerts class 3 certificate which is signed by the root certificate. Some programs (like openvpn and newer versions of ldapsearch) require every certificate up the chain can be verified, however others like openssl s_client are OK with just the class 3 certificate.
Brian May