Description Arvid Requate 2023-02-24 13:35:04 CET

After updating from 4.4-9 to 5.0-3 a customer reported that the AD-Connector now fails establishing the LDAP TLS connection to the AD. The special thing is, that the customer uses a sub-CA certificate for his AD-domain, which is signed by the UCS root CA.

In UCS 4.4-9 it was enough to have the sub-CA cert in

 /etc/univention/connector/ad/customer_ad_cert.pem

And the UCS-root-CA cert in /etc/ssl/certs.

Now, with 5.0-x the LDAP libs seem to ignore the system CA certs if you specify a file with lo.set_option(ldap.OPT_X_TLS_CACERTFILE, ca_certfile), as we do in the uldap module code that is used by the AD-Connector.

After appending also the UCS-root-CA cert to the ca_certfile the AD-Connector works again. Don't know if we can improve user experience here on code level or only on documentation level. I think the latter is required anyway as, on the topic of sub-CAs and CA certificate chains I did not quickly find anything specific for AD-Connector setups.