I am trying to understand how a ldap server's certificate is being verified in the absence of the appropriate CA certificates. I have openldap 2.4.23-34 installed.
If I set TLS_CACERTDIR to a dummy directory (like /home/aarenson), ldapsearch tells me, as expected, that the server's certificate is not verified. If I set TLS_CACERTDIR to a directory where I have placed the file with my CA certificates, ldapsearch tells me, again as expected, that the server's certificate _IS_ verified.
The situation that is surprising me, though, is that if I set TLS_CACERTDIR to /etc/openldap/certs, which has the cert8.db file, but as far as I can tell has no actuall certificates in that database, ldap search tells me, surprisingly, that the server's certificate _IS_ verified.
How is openldap verifying my server's certificate?
When I look in /etc/openldap/certs for certificates, I find none:
=========================================================================== = [root@in-rtls-dev02 certs]# pwd /etc/openldap/certs
[root@in-rtls-dev02 certs]# ls cert8.db key3.db less password secmod.db
[root@in-rtls-dev02 certs]# certutil -d . -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI = ===========================================================================
I have put a file with the appropriate chain of signing certificates in /etc/pki/tls/certs as incommon_chain_2013.pem:
=========================================================================== = [root@in-rtls-dev02 certs]# pwd /etc/pki/tls/certs
[root@in-rtls-dev02 certs]# ls 3641f99d.0 Makefile incommon-ie.pem make-dummy-cert 9de8458f.0 ca-bundle.crt incommon_chain_2013.pem renew-dummy-cert 9ef5f911.0 ca-bundle.trust.crt iu-bl-inter-ie.pem
= ===========================================================================
Here's the system ldap configuration I'm using:
=========================================================================== = [root@in-rtls-dev02 openldap]# pwd /etc/openldap
[root@in-rtls-dev02 openldap]# cat ldap.conf # # LDAP Defaults #
# See ldap.conf(5) for details # This file should be world readable but not world writable.
#BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12 #TIMELIMIT 15 #DEREF never
#TLS_REQCERT allow TLS_REQCERT demand
#TLS_CACERTDIR /etc/openldap/certs #TLS_CACERTDIR /etc/pki/tls/certs TLS_CACERTDIR /home/aarenson
= ===========================================================================
Here is the user ldap configuration I'm using. It is all commented out:
=========================================================================== = [in-rtls-dev02.uits.iupui.edu:/home/aarenson] bash> cat .ldaprc # Instruct client to try requesting a server's cert. #TLS_REQCERT allow #TLS_REQCERT demand
# Define location of CA Cert #TLS_CACERTDIR /etc/openldap/certs #TLS_CACERTDIR /etc/pki/tls/certs #TLS_CACERTDIR /home/aarenson
= ===========================================================================
Here are the three invocations of ldapsearch:
=========================================================================== = [in-rtls-dev02.uits.iupui.edu:/home/aarenson] bash> ldapsearch -d 9 -D "aarenson@ads.iu.edu" -w "<PASSWORD>" -H ldaps://ads.iu.edu:636 -b "ou=Accounts,dc=ads,dc=iu,dc=edu" -s sub "(sAMAccountName=aarenson)" ... TLS: certificate [CN=InCommon Server CA,OU=InCommon,O=Internet2,C=US] is not valid - error -8179:Peer's Certificate issuer is not recognized.. ...
[in-rtls-dev02.uits.iupui.edu:/home/aarenson] bash> LDAPTLS_CACERTDIR=/etc/pki/tls/certs LDAPTLS_REQCERT=demand ldapsearch -d 9 -D "aarenson@ads.iu.edu" -w "<PASSWORD" -H ldaps://ads.iu.edu:636 -b "ou=Accounts,dc=ads,dc=iu,dc=edu" -s sub "(sAMAccountName=aarenson)" ... distinguishedName: CN=aarenson,OU=Accounts,DC=ads,DC=iu,DC=edu ...
[in-rtls-dev02.uits.iupui.edu:/home/aarenson] bash> LDAPTLS_CACERTDIR=/etc/openldap/certs LDAPTLS_REQCERT=demand ldapsearch -d 9 -D "aarenson@ads.iu.edu" -w "<PASSWORD>" -H ldaps://ads.iu.edu:636 -b "ou=Accounts,dc=ads,dc=iu,dc=edu" -s sub "(sAMAccountName=aarenson)" ... distinguishedName: CN=aarenson,OU=Accounts,DC=ads,DC=iu,DC=edu ...
= ===========================================================================
Andy