Sent: Tue Jun 12 2012 12:08:52 GMT-0400 (EDT)
From: Patrick Hemmer <openldap@stormcloud9.net>
To: openldap-technical@openldap.org
Subject: TLS issues when setting olcTLSCACertificateFile to the CA bundle
Whenever I set olcTLSCACertificateFile to /etc/pki/tls/certs/ca-bundle.crt LDAP clients get cert errors connecting to the server. But it works fine when I point olcTLSCACertificateFile at the actual server cert instead of the CA bundle.

With olcTLSCACertificateFile pointed at /etc/pki/tls/certs/ca-bundle.crt:
CLIENT:
# LDAPTLS_CACERT=/etc/pki/tls/certs/ca-bundle.crt ldapsearch -H 'ldap://fqdn.to.my.server' -ZZ -x -b '' -s base '+'
ldap_start_tls: Connect error (-11)
    additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unable to get local issuer certificate)
SERVER (from "slapd -d conns"):
TLS: can't accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.


Why is this happening. olcTLSCACertificateFile is supposed to control the certificates that OpenLDAP will recognize, not affect the certificate it gives to clients (right?).

This is OpenLDAP 2.4.31

-Patrick


So I found the cause of this issue. What is happening is that I have the chain cert bundled in with the server's cert. Apparently the chain cert MUST be placed in the file referenced by olcTLSCACertificateFile.
However this now introduces a problem. We are requiring client certificates for all connections, and we are using our own CA cert to sign the client certs, and then telling OpenLDAP to trust only our CA. However by having to add the chain cert to the CAs that OpenLDAP will recognize, other clients signed with that chain cert can now connect, not just clients signed with our CA.

OpenLDAP does not appear to have any method for specifying that a cert file should only be used as the chain cert of the server's certificate. While browsing around trying to understand exactly what was going on, I found other projects like apache httpd have configuration parameters ( SSLCertificateChainFile) to specify chain cert files for exactly this reason. Is there any particular reason OpenLDAP does not have this capability?