[Bug 629549] New: ldap connects over TLS fail with self signed certificates
http://bugzilla.novell.com/show_bug.cgi?id=629549 http://bugzilla.novell.com/show_bug.cgi?id=629549#c0 Summary: ldap connects over TLS fail with self signed certificates Classification: openSUSE Product: openSUSE 11.3 Version: Final Platform: x86-64 OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: volker@openbios.org QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (compatible; Konqueror/4.4; Linux) KHTML/4.4.4 (like Gecko) SUSE Can not connect to ldap server over TLS when server uses self signed certificate. Ldap client accesses from 11.3 fail when using TLS. For example: ldapsearch -ZZ -h my.ldap.host.domain ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain) The error message is probably referring to the CA certificate which resides in /etc/ssl/certs/myown-ca.cert.pem on server side and which is self signed. Other ldap client services like Yast-Ldap-Browser or Yast-User-Management give the same error. This problem does not occur with 11.2 Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=629549
http://bugzilla.novell.com/show_bug.cgi?id=629549#c1
--- Comment #1 from Volker _
http://bugzilla.novell.com/show_bug.cgi?id=629549
http://bugzilla.novell.com/show_bug.cgi?id=629549#c
yang xiaoyu
http://bugzilla.novell.com/show_bug.cgi?id=629549
http://bugzilla.novell.com/show_bug.cgi?id=629549#c2
Jiří Suchomel
http://bugzilla.novell.com/show_bug.cgi?id=629549
http://bugzilla.novell.com/show_bug.cgi?id=629549#c3
Volker _
And did you set TLS_CACERTDIR in YaST LDAP module?
I don't understand your question exactly. I assume you are referring to the Yast 'LDAP Client' module. There is a field called 'Certificate Directory' in 'Advanced Configuration'. The field has the value '/etc/openldap/cacerts'. This is the default value of that field, i have not changed it. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=629549
http://bugzilla.novell.com/show_bug.cgi?id=629549#c4
Jiří Suchomel
http://bugzilla.novell.com/show_bug.cgi?id=629549
http://bugzilla.novell.com/show_bug.cgi?id=629549#c5
Volker _
Yes, that's what I asked for. This means YaST should save that value to /etc/ldap.conf as tls_cacertdir.
Yast does: tls_cacertdir /etc/openldap/cacerts/ is present in my /etc/ldap.conf
But you say you need to have it in /etc/openldap/ldap.conf as well, right?
Right. *11.3* seems to need it in /etc/openldap/ldap.conf as well. Maybe this is related to openssl 1.0.0 in 11.3. You can test this yourself on a 11,3 standard intallation. Configure a LDAP server with TLS enabled using Yast's 'LDAP Server' module than try to access your server with the 'LDAP Browser' module. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=629549
http://bugzilla.novell.com/show_bug.cgi?id=629549#c
Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=629549
https://bugzilla.novell.com/show_bug.cgi?id=629549#c6
Ralf Haferkamp
Yes, that's what I asked for. This means YaST should save that value to /etc/ldap.conf as tls_cacertdir. But you say you need to have it in /etc/openldap/ldap.conf as well, right?
Ralf? Yes the option should be written to /etc/openldap/ldap.conf as "TLS_CACERTDIR" as well. So that the OpenLDAP commandline tools work as expected.
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=629549
https://bugzilla.novell.com/show_bug.cgi?id=629549#c7
Ralf Haferkamp
Adding
TLS_CACERTDIR /etc/openldap/cacerts/
to
/etc/openldap/ldap.conf
fixes the problem.
I wonder how adding "TLS_CACERTDIR /etc/openldap/cacerts/" can fix the problem if you certificate resides in "/etc/ssl/certs/myown-ca.cert.pem" (as you mention in the bug description). Is that really the case? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=629549
https://bugzilla.novell.com/show_bug.cgi?id=629549#c8
Volker _
I wonder how adding "TLS_CACERTDIR /etc/openldap/cacerts/" can fix the problem if you certificate resides in "/etc/ssl/certs/myown-ca.cert.pem" (as you mention in the bug description). Is that really the case?
"/etc/ssl/certs/myown-ca.cert.pem" is where the CA cert resides on server side. I don't think the location on server side does actually matter, as this bug turned out to be solely a client problem. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=629549
https://bugzilla.novell.com/show_bug.cgi?id=629549#c9
Jiří Suchomel
Yes the option should be written to /etc/openldap/ldap.conf as "TLS_CACERTDIR" as well. So that the OpenLDAP commandline tools work as expected.
So, is it the same for TLS_CACERFILE vs. tls_cacertfile in /etc/ldap.conf? Or is the key name different? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=629549
https://bugzilla.novell.com/show_bug.cgi?id=629549#c10
Ralf Haferkamp
So, is it the same for TLS_CACERFILE vs. tls_cacertfile in /etc/ldap.conf?
Or is the key name different? It's different *sigh*. That option is named "TLS_CACERT" in /etc/openldap/ldap.conf
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=629549
https://bugzilla.novell.com/show_bug.cgi?id=629549#c11
Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=629549
https://bugzilla.novell.com/show_bug.cgi?id=629549#c12
Андрей Кувшинов
http://bugzilla.novell.com/show_bug.cgi?id=629549
http://bugzilla.novell.com/show_bug.cgi?id=629549#c13
--- Comment #13 from Bernhard Wiedemann
participants (1)
-
bugzilla_noreply@novell.com