Univention Bugzilla – Bug 51673
univention-adsearch does not use certificate chain if LDAPS is used instead of STARTTLS
Last modified: 2024-02-15 17:20:10 CET
Followup to Bug #47858: univention-adsearch does not use certificate chain if LDAPS is used instead of STARTTLS: ============================================================================== root@ucs:~# ucr set connector/ad/ldap/ldaps=yes \ connector/ad/ldap/port=636 \ connector/ad/ldap/ssl=no ## No STARTTLS root@ucs:~# univention-adsearch '(foo=bar)' Traceback (most recent call last): File "/usr/sbin/univention-adsearch.orig", line 169, in <module> lo.simple_bind_s(login_dn, login_pw) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 222, in simple_bind_s msgid = self.simple_bind(who,cred,serverctrls,clientctrls) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 216, in simple_bind return self._ldap_call(self._l.simple_bind,who,cred,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls)) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) ldap.SERVER_DOWN: {'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)', 'desc': "Can't contact LDAP server"} ============================================================================== Even though the certificate chain file works: ============================================================================== root@ucs:~# LDAPTLS_CACERT=/var/cache/univention-ad-connector/CAcert-connector.pem\ ldapsearch -xLLL -E domainScope \ -H "ldaps://$(ucr get connector/ad/ldap/host)" \ -D "$(ucr get connector/ad/ldap/binddn)" \ -y "$(ucr get connector/ad/ldap/bindpw)" \ -b "$(ucr get connector/ad/ldap/base)" \ -s base 1.1 ==============================================================================
Created attachment 10429 [details] support-ldaps-in-univention-adsearch.patch
FYI: Also, the usage of UCR connector/ad/ldap/certificate is a bit interesting: * univention-adsearch: If /var/cache/univention-ad-connector/CAcert-connector.pem doesn't exist it writes /etc/univention/ssl/ucsCA/CAcert.pem and the file given in connector/ad/ldap/certificate into that file and uses the new file. * univention-ad-connector: Uses only connector/ad/ldap/certificate So, if you want to use a certificate chain, you can do either: a) write it to a file /var/cache/univention-ad-connector/CAcert-connector.pem and set the UCR variable connector/ad/ldap/certificate to it. b) write it into a different file, set the UCR connector/ad/ldap/certificate to the file path and then either copy it to to CAcert-connector.pem or let univention-adsearch do its thing, catting the (possibly unrelated) /etc/univention/ssl/ucsCA/CAcert.pem plus your chain file into CAcert-connector.pem and using that. The UCS CA cert doesn't seem to hurt there, even if it has nothing to do with the AD Sever cert chain.
please also have a look at Bug #49348
this also fixes the failing NAGIOS Check /usr/sbin/univention-connector-list-rejected, which caused the report of bug #51675 the reason and fix are almost the same: --- /usr/sbin/univention-connector-list-rejected.orig 2020-08-31 15:12:45.340218196 +0200 +++ /usr/sbin/univention-connector-list-rejected 2020-08-31 15:15:11.488223301 +0200 @@ -97,9 +97,9 @@ print('%s/ad/ldap/bindpw not set' % CONFIGBASENAME) sys.exit(1) - ca_file = configRegistry.get('%s/ad/ldap/certificate' % CONFIGBASENAME) - - if configRegistry.is_true('%s/ad/ldap/ssl' % CONFIGBASENAME, True): + ca_file = configRegistry.get('%s/ad/ldap/certificate' % CONFIGBASENAME) + protocol = 'ldaps' if configRegistry.is_true('%s/ad/ldap/ldaps' % CONFIGBASENAME, False) else 'ldap' + if configRegistry.is_true('%s/ad/ldap/ssl' % CONFIGBASENAME, True) or protocol == 'ldaps': if ca_file: # create a new CAcert file, which contains the UCS CA and the AD CA,
done 78e84cd08dd050ab6830d23499bfe1e4845d4644 - univention-ad-connector c52c291ed257afd754fab7321728f6c3debae6c5 - yaml b9a322d6050e31537bb3af37427cae1052e765ac
Before: univention-adsearch name=Administrator ldap.SERVER_DOWN: {'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)', 'desc': "Can't contact LDAP server"} ADCONNECTOR CRITICAL: Could not connect to AD server! The error is not reproducible with the patched package: OK Code review: OK YAML: Ok
<https://errata.software-univention.de/#/?erratum=4.4x742>