Bug 49348 - use global certificate store for ad certificate
use global certificate store for ad certificate
Status: NEW
Product: UCS
Classification: Unclassified
Component: AD Connector
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
Samba maintainers
:
Depends on:
Blocks: 55756
  Show dependency treegraph
 
Reported: 2019-04-25 11:53 CEST by Felix Botner
Modified: 2023-03-16 17:35 CET (History)
0 users

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2019-04-25 11:53:41 CEST
Support Case:

AD Connector with SSL. Th ad server cert was issued by an intermediate cert, which itself was an intermediate certificate. So all three, the both intermediate certs and the root ca are required to verify the server cert.

All three certificates were already present in the global cert store /etc/ssl/certs/.

In order to configure SSL in this case, we had to manually check which certificates we need and to create a chain file with all the certs. Copy this file into the connector/ad/ldap/certificate file, remove the cache file /var/cache/univention-ad-connector/CAcert-connector.pem and restart the connector.

No way for a customer to pull that off.

If we would use the global store, this would have work out of the box.

TODO:

* add UCS CA to global store (we already do i think)
* add AD Cert to global store
* use OPT_X_TLS_CACERTDIR=/etc/ssl/certs/ instead of OPT_X_TLS_CACERTFILE in the python-ldap ssl configuration