Description Arvid Requate 2021-02-02 21:32:48 CET

The UMC module for the ADC doesn't handle certificate upload well:

1. The ADC is not restarted after certificate upload. This is really bad, because the message in the module says that the connection is now secured with SSL.

2. After uploading the AD-Certificate via the UMC module the following traceback (or two?) was logged when restarting the ADC:
=========================================================================
02.02.2021 20:34:19.372 MAIN        (------ ): DEBUG_INIT
02.02.2021 20:34:19.397 LDAP        (ERROR  ): Failed to lookup AD LDAP base, using UCR value.
02.02.2021 20:34:19.398 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 208, in _decorated
    return func(self, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 379, in __starttls
    self.lo.start_tls_s()
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1220, in start_tls_s
    res = self._apply_method_s(SimpleLDAPObject.start_tls_s,*args,**kwargs)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1197, in _apply_method_s
    return func(self,*args,**kwargs)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 864, in start_tls_s
    return self._ldap_call(self._l.start_tls_s)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 329, in _ldap_call
    reraise(exc_type, exc_value, exc_traceback)
  File "/usr/lib/python3/dist-packages/ldap/compat.py", line 44, in reraise
    raise exc_value
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 313, in _ldap_call
    result = func(*args,**kwargs)
ldap.CONNECT_ERROR: {'desc': 'Connect error', 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)'}

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/univention/connector/ad/__init__.py", line 692, in open_ad
    use_ldaps=ldaps, ca_certfile=self.ad_ldap_certificate,
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 288, in __init__
    self.__open(ca_certfile)
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 365, in __open
    self.__starttls()
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 216, in _decorated
    return func(self, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 379, in __starttls
    self.lo.start_tls_s()
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1220, in start_tls_s
    res = self._apply_method_s(SimpleLDAPObject.start_tls_s,*args,**kwargs)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1197, in _apply_method_s
    return func(self,*args,**kwargs)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 864, in start_tls_s
    return self._ldap_call(self._l.start_tls_s)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 329, in _ldap_call
    reraise(exc_type, exc_value, exc_traceback)
  File "/usr/lib/python3/dist-packages/ldap/compat.py", line 44, in reraise
    raise exc_value
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 313, in _ldap_call
    result = func(*args,**kwargs)
ldap.CONNECT_ERROR: {'desc': 'Connect error', 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)'}
=========================================================================

This happend because I made the mistake to uploaded the SSL certificate of the AD-DC instead of the CA-certificate. The UMC module should check if the certificate is usable.

3. If the SSL check against the AD-DC fails, the UMC module doesn't revert the UCR variable adjustment. When the admin restarts the ADC later, the connection will fail, because the ADC will try to use SSL.