Bug 51673 - univention-adsearch does not use certificate chain if LDAPS is used instead of STARTTLS
univention-adsearch does not use certificate chain if LDAPS is used instead o...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: AD Connector
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-5-errata
Assigned To: Felix Botner
Julia Bremer
https://help.univention.com/t/ucsca-a...
:
Depends on: 47858
Blocks: 51675
  Show dependency treegraph
 
Reported: 2020-07-15 17:03 CEST by Arvid Requate
Modified: 2024-02-15 17:20 CET (History)
8 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.046
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2020070221000835
Bug group (optional):
Max CVSS v3 score:
requate: Patch_Available+


Attachments
support-ldaps-in-univention-adsearch.patch (599 bytes, patch)
2020-07-15 17:04 CEST, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2020-07-15 17:03:29 CEST
Followup to Bug #47858:

univention-adsearch does not use certificate chain if LDAPS is used instead of STARTTLS:
==============================================================================
root@ucs:~# ucr set connector/ad/ldap/ldaps=yes \
                    connector/ad/ldap/port=636 \
                    connector/ad/ldap/ssl=no   ## No STARTTLS
root@ucs:~# univention-adsearch '(foo=bar)'
Traceback (most recent call last):
  File "/usr/sbin/univention-adsearch.orig", line 169, in <module>
    lo.simple_bind_s(login_dn, login_pw)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 222, in simple_bind_s
    msgid = self.simple_bind(who,cred,serverctrls,clientctrls)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 216, in simple_bind
    return self._ldap_call(self._l.simple_bind,who,cred,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls))
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
ldap.SERVER_DOWN: {'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)', 'desc': "Can't contact LDAP server"}
==============================================================================

Even though the certificate chain file works:

==============================================================================
root@ucs:~# LDAPTLS_CACERT=/var/cache/univention-ad-connector/CAcert-connector.pem\
 ldapsearch -xLLL -E domainScope \
 -H "ldaps://$(ucr get connector/ad/ldap/host)" \
 -D "$(ucr get connector/ad/ldap/binddn)" \
 -y "$(ucr get connector/ad/ldap/bindpw)" \
 -b "$(ucr get connector/ad/ldap/base)" \
 -s base 1.1
==============================================================================
Comment 1 Arvid Requate univentionstaff 2020-07-15 17:04:20 CEST
Created attachment 10429 [details]
support-ldaps-in-univention-adsearch.patch
Comment 2 Arvid Requate univentionstaff 2020-07-15 17:48:23 CEST
FYI: Also, the usage of UCR connector/ad/ldap/certificate is a bit interesting:

* univention-adsearch:
  If /var/cache/univention-ad-connector/CAcert-connector.pem doesn't exist
  it writes /etc/univention/ssl/ucsCA/CAcert.pem
  and the file given in connector/ad/ldap/certificate
  into that file and uses the new file.

* univention-ad-connector:
  Uses only connector/ad/ldap/certificate



So, if you want to use a certificate chain, you can do either:

a) write it to a file /var/cache/univention-ad-connector/CAcert-connector.pem
   and set the UCR variable connector/ad/ldap/certificate to it.

b) write it into a different file, set the UCR connector/ad/ldap/certificate
   to the file path and then either copy it to to CAcert-connector.pem
   or let univention-adsearch do its thing, catting the (possibly unrelated)
   /etc/univention/ssl/ucsCA/CAcert.pem plus your chain file into
   CAcert-connector.pem and using that. The UCS CA cert doesn't seem
   to hurt there, even if it has nothing to do with the AD Sever cert chain.
Comment 3 Felix Botner univentionstaff 2020-08-31 10:40:25 CEST
please also have a look at Bug #49348
Comment 4 Marc Schwarz univentionstaff 2020-08-31 15:19:30 CEST
this also fixes the failing NAGIOS Check /usr/sbin/univention-connector-list-rejected, which caused the report of bug #51675 

the reason and fix are almost the same:

--- /usr/sbin/univention-connector-list-rejected.orig   2020-08-31 15:12:45.340218196 +0200
+++ /usr/sbin/univention-connector-list-rejected        2020-08-31 15:15:11.488223301 +0200
@@ -97,9 +97,9 @@
                print('%s/ad/ldap/bindpw not set' % CONFIGBASENAME)
                sys.exit(1)
 
-       ca_file = configRegistry.get('%s/ad/ldap/certificate' % CONFIGBASENAME)
-
-       if configRegistry.is_true('%s/ad/ldap/ssl' % CONFIGBASENAME, True):
+        ca_file = configRegistry.get('%s/ad/ldap/certificate' % CONFIGBASENAME)
+        protocol = 'ldaps' if configRegistry.is_true('%s/ad/ldap/ldaps' % CONFIGBASENAME, False) else 'ldap' 
+       if configRegistry.is_true('%s/ad/ldap/ssl' % CONFIGBASENAME, True) or protocol == 'ldaps':
 
                if ca_file:
                        # create a new CAcert file, which contains the UCS CA and the AD CA,
Comment 5 Marc Schwarz univentionstaff 2020-08-31 15:19:56 CEST
this also fixes the failing NAGIOS Check /usr/sbin/univention-connector-list-rejected, which caused the report of bug #51675 

the reason and fix are almost the same:

--- /usr/sbin/univention-connector-list-rejected.orig   2020-08-31 15:12:45.340218196 +0200
+++ /usr/sbin/univention-connector-list-rejected        2020-08-31 15:15:11.488223301 +0200
@@ -97,9 +97,9 @@
                print('%s/ad/ldap/bindpw not set' % CONFIGBASENAME)
                sys.exit(1)
 
-       ca_file = configRegistry.get('%s/ad/ldap/certificate' % CONFIGBASENAME)
-
-       if configRegistry.is_true('%s/ad/ldap/ssl' % CONFIGBASENAME, True):
+        ca_file = configRegistry.get('%s/ad/ldap/certificate' % CONFIGBASENAME)
+        protocol = 'ldaps' if configRegistry.is_true('%s/ad/ldap/ldaps' % CONFIGBASENAME, False) else 'ldap' 
+       if configRegistry.is_true('%s/ad/ldap/ssl' % CONFIGBASENAME, True) or protocol == 'ldaps':
 
                if ca_file:
                        # create a new CAcert file, which contains the UCS CA and the AD CA,
Comment 7 Felix Botner univentionstaff 2020-09-08 10:16:30 CEST
done
78e84cd08dd050ab6830d23499bfe1e4845d4644 - univention-ad-connector
c52c291ed257afd754fab7321728f6c3debae6c5 - yaml
b9a322d6050e31537bb3af37427cae1052e765ac
Comment 8 Julia Bremer univentionstaff 2020-09-10 15:47:17 CEST
Before: univention-adsearch name=Administrator
ldap.SERVER_DOWN: {'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)', 'desc': "Can't contact LDAP server"}
ADCONNECTOR CRITICAL: Could not connect to AD server!

The error is not reproducible with the patched package: OK
Code review: OK
YAML: Ok