ldap over ssl fails
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openldap (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: ldap-utils
After converting Debian/etch systems to Ubuntu Hardy, ldap-serch will no longer work unless I disable SSL or disable checking of the server certificate:
--- cut ---
root@oncilla:~# cat /etc/ldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=microcomaust
URI ldaps:/
#TLS_CACERT /etc/ssl/
TLS_CACERT /etc/ssl/
TLS_REQCERT demand
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
--- cut ---
root@oncilla:~# ldapsearch -x
ldap_sasl_
However the server is fine, it works with ldapsearch from Debian/etch, and openssl s_client on Ubuntu Hardy:
openssl s_client -verify 1 -CApath /etc/ssl/certs -connect scrooge.
openssl s_client -verify 1 -CAfile /etc/ssl/
(both these work)
I also saw #217159, but this appears to be a client side issue, not a server issue.
Brian May
This bug report may be invalid, it seems ldapsearch is fussy and requires all certificates up the chain be verifiable. So the following commands fixed the problem:
cd /etc/ssl/certs
cat root.pem class3.pem > /etc/ssl/cacert.pem
vim /etc/ldap/ldap.conf to use the value for TLS_CACERT
I believe it is the following: The key is signed by cacerts class 3 certificate which is signed by the root certificate. Some programs (like openvpn and newer versions of ldapsearch) require every certificate up the chain can be verified, however others like openssl s_client are OK with just the class 3 certificate.
Brian May