Univention Bugzilla – Bug 52738
UMC Module AD-Connector doesn't handle SSL certificate upload properly
Last modified: 2022-08-03 11:05:10 CEST
The UMC module for the ADC doesn't handle certificate upload well: 1. The ADC is not restarted after certificate upload. This is really bad, because the message in the module says that the connection is now secured with SSL. 2. After uploading the AD-Certificate via the UMC module the following traceback (or two?) was logged when restarting the ADC: ========================================================================= 02.02.2021 20:34:19.372 MAIN (------ ): DEBUG_INIT 02.02.2021 20:34:19.397 LDAP (ERROR ): Failed to lookup AD LDAP base, using UCR value. 02.02.2021 20:34:19.398 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/python3/dist-packages/univention/uldap.py", line 208, in _decorated return func(self, *args, **kwargs) File "/usr/lib/python3/dist-packages/univention/uldap.py", line 379, in __starttls self.lo.start_tls_s() File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1220, in start_tls_s res = self._apply_method_s(SimpleLDAPObject.start_tls_s,*args,**kwargs) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1197, in _apply_method_s return func(self,*args,**kwargs) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 864, in start_tls_s return self._ldap_call(self._l.start_tls_s) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 329, in _ldap_call reraise(exc_type, exc_value, exc_traceback) File "/usr/lib/python3/dist-packages/ldap/compat.py", line 44, in reraise raise exc_value File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 313, in _ldap_call result = func(*args,**kwargs) ldap.CONNECT_ERROR: {'desc': 'Connect error', 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)'} During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/univention/connector/ad/__init__.py", line 692, in open_ad use_ldaps=ldaps, ca_certfile=self.ad_ldap_certificate, File "/usr/lib/python3/dist-packages/univention/uldap.py", line 288, in __init__ self.__open(ca_certfile) File "/usr/lib/python3/dist-packages/univention/uldap.py", line 365, in __open self.__starttls() File "/usr/lib/python3/dist-packages/univention/uldap.py", line 216, in _decorated return func(self, *args, **kwargs) File "/usr/lib/python3/dist-packages/univention/uldap.py", line 379, in __starttls self.lo.start_tls_s() File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1220, in start_tls_s res = self._apply_method_s(SimpleLDAPObject.start_tls_s,*args,**kwargs) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1197, in _apply_method_s return func(self,*args,**kwargs) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 864, in start_tls_s return self._ldap_call(self._l.start_tls_s) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 329, in _ldap_call reraise(exc_type, exc_value, exc_traceback) File "/usr/lib/python3/dist-packages/ldap/compat.py", line 44, in reraise raise exc_value File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 313, in _ldap_call result = func(*args,**kwargs) ldap.CONNECT_ERROR: {'desc': 'Connect error', 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)'} ========================================================================= This happend because I made the mistake to uploaded the SSL certificate of the AD-DC instead of the CA-certificate. The UMC module should check if the certificate is usable. 3. If the SSL check against the AD-DC fails, the UMC module doesn't revert the UCR variable adjustment. When the admin restarts the ADC later, the connection will fail, because the ADC will try to use SSL.
Created attachment 10609 [details] Bug52738.patch Example for suggested improvements.