Univention Bugzilla – Bug 49348
use global certificate store for ad certificate
Last modified: 2023-03-16 17:35:26 CET
Support Case: AD Connector with SSL. Th ad server cert was issued by an intermediate cert, which itself was an intermediate certificate. So all three, the both intermediate certs and the root ca are required to verify the server cert. All three certificates were already present in the global cert store /etc/ssl/certs/. In order to configure SSL in this case, we had to manually check which certificates we need and to create a chain file with all the certs. Copy this file into the connector/ad/ldap/certificate file, remove the cache file /var/cache/univention-ad-connector/CAcert-connector.pem and restart the connector. No way for a customer to pull that off. If we would use the global store, this would have work out of the box. TODO: * add UCS CA to global store (we already do i think) * add AD Cert to global store * use OPT_X_TLS_CACERTDIR=/etc/ssl/certs/ instead of OPT_X_TLS_CACERTFILE in the python-ldap ssl configuration