Univention Bugzilla – Bug 49648
TLS certificate of slapd can't be changed even with trusted CA
Last modified: 2022-12-08 17:52:02 CET
Changing the TLSCertificate{File,KeyFile} and TLSCACertificateFile to custom settings results in a broken UMC login. It complains about a self-signed certificate, even if the CA was imported to the ca store and is considered trusted. The customer has their own CA with which the sign pretty much anything in their environment. Since they want to access the LDAP from outside UCS servers as well they would've like to be able to use their CA. The relevant config is in: /etc/univention/templates/files/etc/ldap/slapd.conf.d/30univention-ldap-server_head Workaround: Import UCS Root CA on such non-UCS systems. It can be obtained from the master: master.ucs.local/ucs-root-ca.crt
The issue here is that the UCS root certificate and the host certificate must be part of the same CA. Workarounds: * the UCS root CA can be signed by an other CA. Afterwards all server certificates are trusted both by UCS instances and by other instances trusting the other CA. * the host certificates and the public UCS root certificate can be replaced by the existing CA. I keep this Bug open to review if the current check of OpenLDAP certificate with the UCS root CA is usefull.