First Last Prev Next    This bug is not in your last search results.
Bug 52736 - Update manual for AD-Connector setup for TLSv1.2 vs Windows 2008R2
Update manual for AD-Connector setup for TLSv1.2 vs Windows 2008R2
Status: RESOLVED WONTFIX
Product: UCS manual
Classification: Unclassified
Component: Services for Windows
unspecified
Other Linux
: P5 normal (vote)
: ---
Assigned To: Docu maintainers
Samba maintainers
:
Depends on: 52044
Blocks:
  Show dependency treegraph
 
Reported: 2021-02-02 15:00 CET by Arvid Requate
Modified: 2021-02-02 22:09 CET (History)
5 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2021-02-02 15:00:37 CET 
Debian buster / openssl 1.1.1d defaults to MinProtocol = TLSv1.2, which in turn doesn't work with AD W2k8R2. We need to update the documentation for this:

https://docs.microsoft.com/de-de/archive/blogs/friis/disabling-tls-1-0-on-your-windows-2008-r2-server-just-because-you-still-have-one
Comment 1 Arvid Requate univentionstaff 2021-02-02 15:09:47 CET 
Some kind of adjustment is required here, otherwise the SSL-Connection of the ADC will not work (The UMC module says that the AD server doesn't support SSL).

For the record, in case someone runs into the same error message:

root@master220:~# ldapsearch -Z -H ldap://10.200.8.126:389
ldap_start_tls: Connect error (-11)
        additional info: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
        additional info: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

root@master220:~# openssl s_client -connect 10.200.8.126:389 -starttls ldap
CONNECTED(00000003)
140446092903552:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1929:

Lowering MinProtocol in /etc/ssl/openssl.cnf can be used as a workaround, but that's probably not what we want to recommend. I'll check the instructions of the MS blog next.
Comment 2 Julia Bremer univentionstaff 2021-02-02 15:29:53 CET 
If there is a fix, we should definitely document it somewhere, but
we don't support 2008r2 (and lower). We already state this in our manual.

"In both modes, the Active Directory Connection service is used in UCS (UCS AD Connector for short), which can synchronize the directory service objects between a *Windows 2012/2016/2019 server* with Active Directory (AD) and the OpenLDAP directory of &ucsUCS;."
First Last Prev Next    This bug is not in your last search results.