Univention Bugzilla – Bug 54207
Support for configuring TLS_CACERTDIR in /etc/ldap/ldap.conf
Last modified: 2022-07-07 09:16:16 CEST
I would like to see the TLS_CACERTDIR variable as an optional setting in UCR and then used in /etc/ldap/ldap.conf. I have a situation now, that scripts on a Univention server should talk to an older system, using a different CA. Adding other CAs to the TLS_CACERT would technically work, but makes a mess of keeping a clean setup.
Wouldn't it be better to make TLS_CACERT configurable (currently hard coded to /etc/univention/ssl/ucsCA/CAcert.pem). Then it could point to /etc/ssl/certs/ca-certificates.crt which contains all publicly accepted SSL CAs (in /etc/ssl/certs/) and those added by the user in /usr/local/share/ca-certificates/ (which includes the UCS' CA). A customer could then simply add its own certificates to /usr/local/share/ca-certificates/ and execute update-ca-certificates. It'd be consistent with what users do for HTTPS clients. @riess82: could you test this?
(In reply to Daniel Tröder from comment #1) > Wouldn't it be better to make TLS_CACERT configurable (currently hard coded > to /etc/univention/ssl/ucsCA/CAcert.pem). > > Then it could point to /etc/ssl/certs/ca-certificates.crt which contains all > publicly accepted SSL CAs (in /etc/ssl/certs/) and those added by the user > in /usr/local/share/ca-certificates/ (which includes the UCS' CA). > > A customer could then simply add its own certificates to > /usr/local/share/ca-certificates/ and execute update-ca-certificates. > It'd be consistent with what users do for HTTPS clients. > > @riess82: could you test this? yes, this would work too the main goal here is that ldapsearch et al. (/etc/ldap/ldap.conf) should trust the systems ca cert store and not just the UCS CA
Tests look good with TLS_CACERT pointing to (the now manually updated) /etc/ssl/certs/ca-certificates.crt. Important to mention that update-ca-certificates only looks for *.crt files in /usr/local/share/ca-certificates/ and currently does not take *.pem into account. Not a problem, just something I noticed, first having tried the ca-certificates ending in .pem. So ca-certificates just have to end in .crt And just to make sure: /usr/local/share/ca-certificates/ is per server and not synced from the primary, right? I have not tested that part yet, but the solution would be something like this? if 'ldap/server/TLS_CACERT' in configRegistry: print('TLS_CACERT=%s' % configRegistry['ldap/server/TLS_CACERT']) if not 'ldap/server/TLS_CACERT' in configRegistry: print('TLS_CACERT=/etc/univention/ssl/ucsCA/CAcert.pem'])