Univention Bugzilla – Bug 52736
Update manual for AD-Connector setup for TLSv1.2 vs Windows 2008R2
Last modified: 2021-02-02 22:09:32 CET
Debian buster / openssl 1.1.1d defaults to MinProtocol = TLSv1.2, which in turn doesn't work with AD W2k8R2. We need to update the documentation for this: https://docs.microsoft.com/de-de/archive/blogs/friis/disabling-tls-1-0-on-your-windows-2008-r2-server-just-because-you-still-have-one
Some kind of adjustment is required here, otherwise the SSL-Connection of the ADC will not work (The UMC module says that the AD server doesn't support SSL). For the record, in case someone runs into the same error message: root@master220:~# ldapsearch -Z -H ldap://10.200.8.126:389 ldap_start_tls: Connect error (-11) additional info: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) additional info: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol root@master220:~# openssl s_client -connect 10.200.8.126:389 -starttls ldap CONNECTED(00000003) 140446092903552:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1929: Lowering MinProtocol in /etc/ssl/openssl.cnf can be used as a workaround, but that's probably not what we want to recommend. I'll check the instructions of the MS blog next.
If there is a fix, we should definitely document it somewhere, but we don't support 2008r2 (and lower). We already state this in our manual. "In both modes, the Active Directory Connection service is used in UCS (UCS AD Connector for short), which can synchronize the directory service objects between a *Windows 2012/2016/2019 server* with Active Directory (AD) and the OpenLDAP directory of &ucsUCS;."