LDAPS is configured in a customer environment. The AD Connector is running successfully but univenton-adsearch doesn't work. I don't see that the configured certificated is used. # univention-adsearch -d ou=users TLS failed to missing crlfile - with 'tls verify peer = as_strict_as_possible' Failed to connect to ldap URL 'ldaps://AD.DOMAIN.LOCAL:636' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER_MIX Failed to connect to 'ldaps://AD.DOMAIN.LOCAL:636' with backend 'ldaps': LDAP client internal error: NT_STATUS_INVALID_PARAMETER_MIX Failed to connect to ldaps://AD.DOMAIN.LOCAL:636 - LDAP client internal error: NT_STATUS_INVALID_PARAMETER_MIX ### Output of: ldbsearch --show-deleted -H ldaps://AD.DOMAIN.LOCAL:636 --use-kerberos=required --basedn=DC=DOMAIN,DC=LOCAL ou=users # ucr search --brief connector/ad/ldap connector/ad/ldap/base: DC=DOMAIN,DC=LOCAL connector/ad/ldap/binddn: server$ connector/ad/ldap/bindpw: /etc/machine.secret connector/ad/ldap/certificate: /etc/univention/connector/ad/ad_cert_20220329_110700.pem connector/ad/ldap/host: AD.DOMAIN.LOCAL connector/ad/ldap/kerberos: true connector/ad/ldap/ldaps: yes connector/ad/ldap/port: 636 connector/ad/ldap/ssl: yes # univention-app info UCS: 5.0-3 errata664 Installed: adconnector=12.0 mailserver=12.0 pkgdb=11.0 samba-memberserver=4.16 Upgradable: # testparm -vs | grep -i tls Load smb config files from /etc/samba/smb.conf lpcfg_do_global_parameter: WARNING: The "client use spnego" option is deprecated lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated Loaded services file OK. Weak crypto is allowed 'winbind separator = +' might cause problems with group membership. Server role: ROLE_DOMAIN_MEMBER ldap ssl = start tls tls cafile = tls/ca.pem tls certfile = tls/cert.pem tls crlfile = tls dh params file = tls enabled = Yes tls keyfile = tls/key.pem tls priority = NORMAL:-VERS-SSL3.0 tls verify peer = as_strict_as_possible
Yes, strange - the certificate stuff is just missing in univention-adsearch. But we wouldn't have this problem (and some others) if we would just store the windows server certificate in the global certificate store. So when fixing this please also consider https://forge.univention.org/bugzilla/show_bug.cgi?id=49348.
Please note that univention-adsearch may return other error messages and behave differently than the AD-C itself. That script nowadays uses ldbsearch and may take smb.conf default parameters into consideration. AFAICS, the AD-C setup wizard code sets connector/ad/ldap/port=389 instead of 636 and univention.lib.admember.enable_ssl just sets connector/ad/ldap/ssl=yes and ldap/sasl/secprops/maxssf=128. So, apparently no LDAPS is used when using the AD-C setup wizzard but rather LDAP+StartTLS (which is what we also usually use against OpenLDAP). Bug 51673 fixed something in this area, but that was still the old univention-ad-search Python implementation. Since commit a901dafa7c for Bug 52044 that's just a bash script around the ldbsearch tool from Samba.
The UCR variables > connector/ad/ldap/binddn: server$ and > connector/ad/ldap/kerberos: true and the combination of adconnector and samba-memberserver in univention-app info tell that this has been an AD-Member setup, where we use Kerberos for binding.
A colleague just mentioned that they also saw the "NT_STATUS_INVALID_PARAMETER_MIX" when they didn't use the a DN as connector/ad/ldap/binddn but the machine account (i.e. Kerberos-Principal) instead. Maybe that the "invalid parameter mix" the error code refers too?
* Customer suspected, that the bug in UCS 4.4 does not exists Yes, see Comment 2: > Since commit a901dafa7c for Bug 52044 that's just a bash script around the ldbsearch tool from Samba.
I could reproduce this in my testenvironment. I get this root@dc01:~# ucr search --brief connector/ad/ldap connector/ad/ldap/base: DC=ad,DC=schein,DC=me connector/ad/ldap/binddn: CN=Administrator,CN=Users,DC=ad,DC=schein,DC=me connector/ad/ldap/bindpw: /etc/univention/connector/ad/bindpw connector/ad/ldap/certificate: /etc/univention/connector/ad/ad_cert_20241219_072032.pem connector/ad/ldap/host: WIN-9EQ9C6V4HN8.ad.schein.me connector/ad/ldap/ldaps: true connector/ad/ldap/port: 636 connector/ad/ldap/ssl: no root@dc01:~# univention-adsearch cn=Administrator 1.1 TLS failed to missing cafile /var/lib/samba/private/tls/ca.pem - with 'tls verify peer = as_strict_as_possible' Failed to connect to ldap URL 'ldaps://WIN-9EQ9C6V4HN8.ad.schein.me:636' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER_MIX Failed to connect to 'ldaps://WIN-9EQ9C6V4HN8.ad.schein.me:636' with backend 'ldaps': LDAP client internal error: NT_STATUS_INVALID_PARAMETER_MIX Failed to connect to ldaps://WIN-9EQ9C6V4HN8.ad.schein.me:636 - LDAP client internal error: NT_STATUS_INVALID_PARAMETER_MIX Ad synchronisation is working, it is just the adsearch. =========================================================== root@dc01:~# ucr search --brief connector/ad/ldap connector/ad/ldap/base: DC=ad,DC=schein,DC=me connector/ad/ldap/binddn: CN=Administrator,CN=Users,DC=ad,DC=schein,DC=me connector/ad/ldap/bindpw: /etc/univention/connector/ad/bindpw connector/ad/ldap/certificate: /etc/univention/connector/ad/ad_cert_20241219_072032.pem connector/ad/ldap/host: WIN-9EQ9C6V4HN8.ad.schein.me connector/ad/ldap/port: 389 connector/ad/ldap/ssl: no → Ad search is working fine ============================================================ enabling ssl and port 636 root@dc01:~# ucr search --brief connector/ad/ldap connector/ad/ldap/base: DC=ad,DC=schein,DC=me connector/ad/ldap/binddn: CN=Administrator,CN=Users,DC=ad,DC=schein,DC=me connector/ad/ldap/bindpw: /etc/univention/connector/ad/bindpw connector/ad/ldap/certificate: /etc/univention/connector/ad/ad_cert_20241219_072032.pem connector/ad/ldap/host: WIN-9EQ9C6V4HN8.ad.schein.me connector/ad/ldap/port: 636 connector/ad/ldap/ssl: yes root@dc01:~# univention-adsearch cn=Administrator 1.1 Failed to bind - LDAP client internal error: NT_STATUS_CONNECTION_RESET Failed to connect to 'ldap://WIN-9EQ9C6V4HN8.ad.schein.me:636' with backend 'ldap': LDAP client internal error: NT_STATUS_CONNECTION_RESET Failed to connect to ldap://WIN-9EQ9C6V4HN8.ad.schein.me:636 - LDAP client internal error: NT_STATUS_CONNECTION_RESET ad-sync is not working at all ============================================================== Something in between without ldaps and ssl but port 636 root@dc01:~# ucr search --brief connector/ad/ldap connector/ad/ldap/base: DC=ad,DC=schein,DC=me connector/ad/ldap/binddn: CN=Administrator,CN=Users,DC=ad,DC=schein,DC=me connector/ad/ldap/bindpw: /etc/univention/connector/ad/bindpw connector/ad/ldap/certificate: /etc/univention/connector/ad/ad_cert_20241219_072032.pem connector/ad/ldap/host: WIN-9EQ9C6V4HN8.ad.schein.me connector/ad/ldap/port: 636 connector/ad/ldap/ssl: no root@dc01:~# univention-adsearch cn=Administrator 1.1 Failed to bind - LDAP client internal error: NT_STATUS_CONNECTION_RESET Failed to connect to 'ldap://WIN-9EQ9C6V4HN8.ad.schein.me:636' with backend 'ldap': LDAP client internal error: NT_STATUS_CONNECTION_RESET Failed to connect to ldap://WIN-9EQ9C6V4HN8.ad.schein.me:636 - LDAP client internal error: NT_STATUS_CONNECTION_RESET ad-sync is not working at all ============================================================== last option port 389 and ldaps root@dc01:~# ucr search --brief connector/ad/ldap connector/ad/ldap/base: DC=ad,DC=schein,DC=me connector/ad/ldap/binddn: CN=Administrator,CN=Users,DC=ad,DC=schein,DC=me connector/ad/ldap/bindpw: /etc/univention/connector/ad/bindpw connector/ad/ldap/certificate: /etc/univention/connector/ad/ad_cert_20241219_072032.pem connector/ad/ldap/host: WIN-9EQ9C6V4HN8.ad.schein.me connector/ad/ldap/ldaps: true connector/ad/ldap/port: 389 connector/ad/ldap/ssl: no root@dc01:~# univention-adsearch cn=Administrator 1.1 TLS failed to missing cafile /var/lib/samba/private/tls/ca.pem - with 'tls verify peer = as_strict_as_possible' Failed to connect to ldap URL 'ldaps://WIN-9EQ9C6V4HN8.ad.schein.me:389' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER_MIX Failed to connect to 'ldaps://WIN-9EQ9C6V4HN8.ad.schein.me:389' with backend 'ldaps': LDAP client internal error: NT_STATUS_INVALID_PARAMETER_MIX Failed to connect to ldaps://WIN-9EQ9C6V4HN8.ad.schein.me:389 - LDAP client internal error: NT_STATUS_INVALID_PARAMETER_MIX ad-sync is not working at all
In addition: root@dc01:~# ucr search --brief connector/ad/ldap connector/ad/ldap/base: DC=ad,DC=schein,DC=me connector/ad/ldap/binddn: CN=Administrator,CN=Users,DC=ad,DC=schein,DC=me connector/ad/ldap/bindpw: /etc/univention/connector/ad/bindpw connector/ad/ldap/certificate: /etc/univention/connector/ad/ad_cert_20241219_072032.pem connector/ad/ldap/host: WIN-9EQ9C6V4HN8.ad.schein.me connector/ad/ldap/ldaps: true connector/ad/ldap/port: 636 connector/ad/ldap/ssl: yes Ad synchronisation is working, adsearch is not root@dc01:~# univention-adsearch cn=Administrator TLS failed to missing cafile /var/lib/samba/private/tls/ca.pem - with 'tls verify peer = as_strict_as_possible' Failed to connect to ldap URL 'ldaps://WIN-9EQ9C6V4HN8.ad.schein.me:636' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER_MIX Failed to connect to 'ldaps://WIN-9EQ9C6V4HN8.ad.schein.me:636' with backend 'ldaps': LDAP client internal error: NT_STATUS_INVALID_PARAMETER_MIX Failed to connect to ldaps://WIN-9EQ9C6V4HN8.ad.schein.me:636 - LDAP client internal error: NT_STATUS_INVALID_PARAMETER_MIX
Ok just looked at a test env where we had this issue, and this worked: ``` univention-adsearch --option "tls verify peer = ca_and_name" \ --option "tls cafile = $(ucr get connector/ad/ldap/certificate)" \ -H ldaps://"$(ucr get connector/ad/ldap/host)" ``` Looks like the Samba option "tls verify peer" needs adjustment, as the default "as_strict_as_possible" seems to be unhappy about missing a CRL file (that's what man smb.conf says), but even giving an empty dummy file didn't directly work, so maybe we need to work with this "tls verify peer" adjustment. What helped me with debugging: ``` openssl s_client -CAfile "$(ucr get connector/ad/ldap/certificate)" --showcerts -connect "$(ucr get connector/ad/ldap/host)":636 ``` And in case you get `Verify return code: 9 (certificate is not yet valid)` this may help: ``` rdate -n "$(ucr get connector/ad/ldap/host)" ```
With connector/ad/ldap/ldaps: true connector/ad/ldap/port: 636 This should be enough: univention-adsearch --option "tls verify peer = ca_and_name" \ --option "tls cafile = $(ucr get connector/ad/ldap/certificate)"
The URL field of this Bug points to a MR that has a better solution: passing --option "tls crlfile = /etc/univention/ssl/ucsCA/crl/crl.pem" to ldbsearch instead of adjusting "tls verify peer".
bafe3a8a99a fix(univention-adsearch): pass AD cert as samba option to ldbsearch 595792c502d fix(univention-adsearch): pass UCS crl as samba option to ldbsearch 7fa1a385890 chore(univention-ad-connector): Advisory Package: univention-ad-connector Version: 16.2.2 Branch: 5.2-0 Scope: errata5.2-2
<https://errata.software-univention.de/#/?erratum=5.2x155>