Univention Bugzilla – Bug 55756
AD-Connector TLS with sub-CA-Cert stopped working after update from 4.4-9 to 5.0-3
Last modified: 2023-03-16 17:35:26 CET
After updating from 4.4-9 to 5.0-3 a customer reported that the AD-Connector now fails establishing the LDAP TLS connection to the AD. The special thing is, that the customer uses a sub-CA certificate for his AD-domain, which is signed by the UCS root CA. In UCS 4.4-9 it was enough to have the sub-CA cert in /etc/univention/connector/ad/customer_ad_cert.pem And the UCS-root-CA cert in /etc/ssl/certs. Now, with 5.0-x the LDAP libs seem to ignore the system CA certs if you specify a file with lo.set_option(ldap.OPT_X_TLS_CACERTFILE, ca_certfile), as we do in the uldap module code that is used by the AD-Connector. After appending also the UCS-root-CA cert to the ca_certfile the AD-Connector works again. Don't know if we can improve user experience here on code level or only on documentation level. I think the latter is required anyway as, on the topic of sub-CAs and CA certificate chains I did not quickly find anything specific for AD-Connector setups.
What about https://forge.univention.org/bugzilla/show_bug.cgi?id=49348 - just using the global store /etc/ssl.