Backport for 5.0 from Bug #56139. +++ This bug was initially created as a clone of Bug #56139 +++ LDAPS is configured in a customer environment. The AD Connector is running successfully but univenton-adsearch doesn't work. I don't see that the configured certificated is used. # univention-adsearch -d ou=users TLS failed to missing crlfile - with 'tls verify peer = as_strict_as_possible' Failed to connect to ldap URL 'ldaps://AD.DOMAIN.LOCAL:636' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER_MIX Failed to connect to 'ldaps://AD.DOMAIN.LOCAL:636' with backend 'ldaps': LDAP client internal error: NT_STATUS_INVALID_PARAMETER_MIX Failed to connect to ldaps://AD.DOMAIN.LOCAL:636 - LDAP client internal error: NT_STATUS_INVALID_PARAMETER_MIX ### Output of: ldbsearch --show-deleted -H ldaps://AD.DOMAIN.LOCAL:636 --use-kerberos=required --basedn=DC=DOMAIN,DC=LOCAL ou=users # ucr search --brief connector/ad/ldap connector/ad/ldap/base: DC=DOMAIN,DC=LOCAL connector/ad/ldap/binddn: server$ connector/ad/ldap/bindpw: /etc/machine.secret connector/ad/ldap/certificate: /etc/univention/connector/ad/ad_cert_20220329_110700.pem connector/ad/ldap/host: AD.DOMAIN.LOCAL connector/ad/ldap/kerberos: true connector/ad/ldap/ldaps: yes connector/ad/ldap/port: 636 connector/ad/ldap/ssl: yes # univention-app info UCS: 5.0-3 errata664 Installed: adconnector=12.0 mailserver=12.0 pkgdb=11.0 samba-memberserver=4.16 Upgradable: # testparm -vs | grep -i tls Load smb config files from /etc/samba/smb.conf lpcfg_do_global_parameter: WARNING: The "client use spnego" option is deprecated lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated Loaded services file OK. Weak crypto is allowed 'winbind separator = +' might cause problems with group membership. Server role: ROLE_DOMAIN_MEMBER ldap ssl = start tls tls cafile = tls/ca.pem tls certfile = tls/cert.pem tls crlfile = tls dh params file = tls enabled = Yes tls keyfile = tls/key.pem tls priority = NORMAL:-VERS-SSL3.0 tls verify peer = as_strict_as_possible
c76535c699d | fix(univention-adsearch): pass AD cert as samba option to ldbsearch 860f9e1e45a | fix(univention-adsearch): pass UCS crl as samba option to ldbsearch ca08f791073 | chore(univention-ad-connector): Advisory Package: univention-ad-connector Version: 14.0.22 Release: 5.0-0 Scope: errata5.0-10
Verified: * Package installation * Functional test
<https://errata.software-univention.de/#/?erratum=5.0x1303>