[Bug 629549] New: ldap connects over TLS fail with self signed certificates
http://bugzilla.novell.com/show_bug.cgi?id=629549 http://bugzilla.novell.com/show_bug.cgi?id=629549#c0 Summary: ldap connects over TLS fail with self signed certificates Classification: openSUSE Product: openSUSE 11.3 Version: Final Platform: x86-64 OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: volker@openbios.org QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (compatible; Konqueror/4.4; Linux) KHTML/4.4.4 (like Gecko) SUSE Can not connect to ldap server over TLS when server uses self signed certificate. Ldap client accesses from 11.3 fail when using TLS. For example: ldapsearch -ZZ -h my.ldap.host.domain ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain) The error message is probably referring to the CA certificate which resides in /etc/ssl/certs/myown-ca.cert.pem on server side and which is self signed. Other ldap client services like Yast-Ldap-Browser or Yast-User-Management give the same error. This problem does not occur with 11.2 Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=629549 http://bugzilla.novell.com/show_bug.cgi?id=629549#c1 --- Comment #1 from Volker _ <volker@openbios.org> 2010-08-09 15:45:32 UTC --- Seems to me it boils down to yast not passing the necessary config option to openldap. Adding TLS_CACERTDIR /etc/openldap/cacerts/ to /etc/openldap/ldap.conf fixes the problem. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=629549 http://bugzilla.novell.com/show_bug.cgi?id=629549#c yang xiaoyu <xyyang@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |xyyang@novell.com AssignedTo|bnc-team-screening@forge.pr |jsuchome@novell.com |ovo.novell.com | -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=629549 http://bugzilla.novell.com/show_bug.cgi?id=629549#c2 Jiří Suchomel <jsuchome@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO CC| |rhafer@novell.com InfoProvider| |volker@openbios.org --- Comment #2 from Jiří Suchomel <jsuchome@novell.com> 2010-08-10 08:41:38 UTC --- And did you set TLS_CACERTDIR in YaST LDAP module? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=629549 http://bugzilla.novell.com/show_bug.cgi?id=629549#c3 Volker _ <volker@openbios.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|volker@openbios.org | --- Comment #3 from Volker _ <volker@openbios.org> 2010-08-10 10:11:05 UTC --- (In reply to comment #2)
And did you set TLS_CACERTDIR in YaST LDAP module?
I don't understand your question exactly. I assume you are referring to the Yast 'LDAP Client' module. There is a field called 'Certificate Directory' in 'Advanced Configuration'. The field has the value '/etc/openldap/cacerts'. This is the default value of that field, i have not changed it. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=629549 http://bugzilla.novell.com/show_bug.cgi?id=629549#c4 Jiří Suchomel <jsuchome@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |rhafer@novell.com --- Comment #4 from Jiří Suchomel <jsuchome@novell.com> 2010-08-10 10:22:51 UTC --- Yes, that's what I asked for. This means YaST should save that value to /etc/ldap.conf as tls_cacertdir. But you say you need to have it in /etc/openldap/ldap.conf as well, right? Ralf? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=629549 http://bugzilla.novell.com/show_bug.cgi?id=629549#c5 Volker _ <volker@openbios.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|rhafer@novell.com | --- Comment #5 from Volker _ <volker@openbios.org> 2010-08-10 11:59:45 UTC --- (In reply to comment #4)
Yes, that's what I asked for. This means YaST should save that value to /etc/ldap.conf as tls_cacertdir.
Yast does: tls_cacertdir /etc/openldap/cacerts/ is present in my /etc/ldap.conf
But you say you need to have it in /etc/openldap/ldap.conf as well, right?
Right. *11.3* seems to need it in /etc/openldap/ldap.conf as well. Maybe this is related to openssl 1.0.0 in 11.3. You can test this yourself on a 11,3 standard intallation. Configure a LDAP server with TLS enabled using Yast's 'LDAP Server' module than try to access your server with the 'LDAP Browser' module. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=629549 http://bugzilla.novell.com/show_bug.cgi?id=629549#c Jiří Suchomel <jsuchome@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |rhafer@novell.com -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=629549 https://bugzilla.novell.com/show_bug.cgi?id=629549#c6 Ralf Haferkamp <rhafer@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|rhafer@novell.com | --- Comment #6 from Ralf Haferkamp <rhafer@novell.com> 2010-08-17 12:13:33 CEST --- (In reply to comment #4)
Yes, that's what I asked for. This means YaST should save that value to /etc/ldap.conf as tls_cacertdir. But you say you need to have it in /etc/openldap/ldap.conf as well, right?
Ralf? Yes the option should be written to /etc/openldap/ldap.conf as "TLS_CACERTDIR" as well. So that the OpenLDAP commandline tools work as expected.
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=629549 https://bugzilla.novell.com/show_bug.cgi?id=629549#c7 Ralf Haferkamp <rhafer@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |volker@openbios.org --- Comment #7 from Ralf Haferkamp <rhafer@novell.com> 2010-08-17 12:17:32 CEST --- (In reply to comment #1)
Adding
TLS_CACERTDIR /etc/openldap/cacerts/
to
/etc/openldap/ldap.conf
fixes the problem.
I wonder how adding "TLS_CACERTDIR /etc/openldap/cacerts/" can fix the problem if you certificate resides in "/etc/ssl/certs/myown-ca.cert.pem" (as you mention in the bug description). Is that really the case? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=629549 https://bugzilla.novell.com/show_bug.cgi?id=629549#c8 Volker _ <volker@openbios.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|volker@openbios.org | --- Comment #8 from Volker _ <volker@openbios.org> 2010-08-17 10:30:46 UTC ---
I wonder how adding "TLS_CACERTDIR /etc/openldap/cacerts/" can fix the problem if you certificate resides in "/etc/ssl/certs/myown-ca.cert.pem" (as you mention in the bug description). Is that really the case?
"/etc/ssl/certs/myown-ca.cert.pem" is where the CA cert resides on server side. I don't think the location on server side does actually matter, as this bug turned out to be solely a client problem. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=629549 https://bugzilla.novell.com/show_bug.cgi?id=629549#c9 Jiří Suchomel <jsuchome@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |rhafer@novell.com --- Comment #9 from Jiří Suchomel <jsuchome@novell.com> 2010-08-17 14:01:31 UTC --- (In reply to comment #6)
Yes the option should be written to /etc/openldap/ldap.conf as "TLS_CACERTDIR" as well. So that the OpenLDAP commandline tools work as expected.
So, is it the same for TLS_CACERFILE vs. tls_cacertfile in /etc/ldap.conf? Or is the key name different? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=629549 https://bugzilla.novell.com/show_bug.cgi?id=629549#c10 Ralf Haferkamp <rhafer@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|rhafer@novell.com | --- Comment #10 from Ralf Haferkamp <rhafer@novell.com> 2010-08-17 16:42:49 CEST --- (In reply to comment #9)
So, is it the same for TLS_CACERFILE vs. tls_cacertfile in /etc/ldap.conf?
Or is the key name different? It's different *sigh*. That option is named "TLS_CACERT" in /etc/openldap/ldap.conf
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=629549 https://bugzilla.novell.com/show_bug.cgi?id=629549#c11 Jiří Suchomel <jsuchome@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #11 from Jiří Suchomel <jsuchome@novell.com> 2010-08-18 07:46:47 UTC --- Fixed in svn and Factory -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=629549 https://bugzilla.novell.com/show_bug.cgi?id=629549#c12 Андрей Кувшинов <m407@mail.ru> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |m407@mail.ru --- Comment #12 from Андрей Кувшинов <m407@mail.ru> 2010-10-18 17:24:45 UTC --- *** Bug 645194 has been marked as a duplicate of this bug. *** http://bugzilla.novell.com/show_bug.cgi?id=645194 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=629549 http://bugzilla.novell.com/show_bug.cgi?id=629549#c13 --- Comment #13 from Bernhard Wiedemann <bwiedemann@suse.com> --- This is an autogenerated message for OBS integration: This bug (629549) was mentioned in https://build.opensuse.org/request/show/45746 Factory / yast2-ldap-client -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com