Bug 30558 - Make SSL certificate for LDAP server configurable
Make SSL certificate for LDAP server configurable
Status: NEW
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 5.0
Other Linux
: P5 minor with 8 votes (vote)
: ---
Assigned To: UCS maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-02-22 12:28 CET by Jan Christoph Ebersbach
Modified: 2022-12-08 17:52 CET (History)
7 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2013021821000695, 2017081721000321, 2017112721000457
Bug group (optional):
Max CVSS v3 score:
best: Patch_Available+


Attachments
Create UCR variables that allow the confiugration of SSL certificates for the LDAP server (1.67 KB, patch)
2013-02-25 16:40 CET, Jan Christoph Ebersbach
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jan Christoph Ebersbach univentionstaff 2013-02-22 12:28:10 CET
Since UCS is more and more used in cloud scenarios where services on the internet access UCS' LDAP server, the SSL certificate for the LDAP server should be configurable using UCR variables.

See Ticket #2013021821000695.
Comment 1 Jan Christoph Ebersbach univentionstaff 2013-02-22 15:11:46 CET
One big disadvantage of exchanging the SSL certificate for the LDAP is that the new certificate must be valid for the hostname (FQDN), otherwise failures might occur on multiple levels.  E.g. Nagios, join scripts, univention-ldapsearch ...
Comment 2 Jan Christoph Ebersbach univentionstaff 2013-02-22 15:15:06 CET
When specifying a different SSL certificate in /etc/ldap/slapd.conf, the CA specified in /etc/ldap/ldap.conf has to be changed as well.
Comment 3 Jan Christoph Ebersbach univentionstaff 2013-02-25 10:56:14 CET
The following configuration seems to work fine when making the LDAP server accessible through the Internet via a DNS name and an officially signed SSL certificate:

1. UCR variable ldap/server/name=NEW.DNS.NAME
2. /etc/ldap/ldap.conf, change TLS_CACERT to /etc/ssl/certs/ca-certificates.crt
2.1. append the UCS CA to ca-certificates.crt in order to allow secured LDAP connections to the UCS domain, e.g. LDAP-Policy-Updates, LDAP-Replication, ... (cat /etc/univention/ssl/ucsCA/CAcert.pem >> /etc/ssl/certs/ca-certificates.crt)
2.2. optionally append an intermediate CA to ca-certificates.crt (cat /etc/univention/ssl/NEW.DNS.NAME/NAME.ca-bundle >> /etc/ssl/certs/ca-certificates.crt
3. /etc/ldap/slapd.conf, change TLS* to the position of the new certificate (/etc/univention/ssl/NEW.DNS.NAME/*{key,ca-bundle,crt})
4. Restart slapd: /etc/init.d/slapd restart
5. Perform some tests:
univention-ldapsearch -x uid=Administrator # should yield the Administrator object
/etc/init.d/univention-directory-policy restart # should successfully evaluate all policies applied to the current server

Watch out for Nagios error messages concerning LDAP.  Nagios service UNIVENTION_JOINSTATUS breaks when the certificate chain is incomplete or the host name is wrong.
Comment 4 Jan Christoph Ebersbach univentionstaff 2013-02-25 16:40:01 CET
Created attachment 5095 [details]
Create UCR variables that allow the confiugration of SSL certificates for the LDAP server

This patch creates UCR-Variables ldap/ssl/* that allow the configuration of SSL certificates for the LDAP server.

After applying the patch "ucr register ssl-ldap-server" needs to be executed to register the UCR variables.
Comment 5 Stefan Gohmann univentionstaff 2017-06-16 20:38:00 CEST
This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4.

If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.
Comment 6 Florian Best univentionstaff 2017-06-28 14:52:45 CEST
There is a Customer ID set so I set the flag "Enterprise Customer affected".
Comment 7 Jan-Luca Kiok univentionstaff 2022-02-17 10:50:35 CET
This would really come in handy for two big school customers.