Hello all,
On Ubuntu, I have set up an LDAP server and am authenticating to it over SSL for my LDAP queries. I had it working on previous Ubuntu releases, but something seems to have changed in the newest release (maybe this: http://www.debian-administration.org/users/dkg/weblog/ 42). I am having trouble figuring out exactly what is breaking.
Some background: I have set up my own CA and generated a certificate for it, which the LDAP server is using. Without specifying this CA, I get "self-signed certificate" errors when connecting:
root@host:# openssl s_client -connect my.ldap.server:636 -showcerts CONNECTED(00000003) <... trimmed certificate information ...> verify error:num=19:self signed certificate in certificate chain verify return:0 <... trimmed more certificate information ...>
If I specify the path to my internal CA file, I receive no errors:
root@host:# openssl s_client -connect my.ldap.server:636 -showcerts - CAfile /path/to/my/ca/file CONNECTED(00000003) <... trimmed certificate and internal CA information ...> verify return:1 <... trimmed more certificate information ...>
That being said, I manually specified the path to my internal CA file in /etc/ldap/ldap.conf:
BASE dc=my, dc=search, dc=base URI ldaps://my.ldap.server TLS_CACERT /path/to/my/ca/file TLS_REQCERT demand TIMEOUT 4 NETWORK_TIMEOUT 2
This still allows no secure ldap queries:
root@host:# ldapsearch -x -d1 ldap_create ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP my.ldap.server:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying my.ldap.server.ip:636 ldap_pvt_connect: fd: 3 tm: 2 async: 0 ldap_ndelay_on: 3 ldap_int_poll: fd: 3 tm: 2 ldap_is_sock_ready: 3 ldap_ndelay_off: 3 ldap_pvt_connect: 0 TLS: peer cert untrusted or revoked (0x102) TLS: can't connect: (unknown error code). ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Just to prove that the above configuration is the one being used, if I switch the above configuration to "TLS_REQCERT allow", the ldap queries bypass this issue:
root@myhost:# ldapsearch -x -d1 > /dev/null ldap_create ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP auth01.rdc.internal:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.1.41:636 ldap_pvt_connect: fd: 3 tm: 2 async: 0 ldap_ndelay_on: 3 ldap_int_poll: fd: 3 tm: 2 ldap_is_sock_ready: 3 ldap_ndelay_off: 3 ldap_pvt_connect: 0 TLS: peer cert untrusted or revoked (0x102) ldap_open_defconn: successful <... trimmed rest of results ...>
My openldap is version 2.4.15 on Ubuntu Jaunty. Interestingly, I had the same message about self-signed certificates on previous Ubuntu versions, but querying ldap with "TLS_REQCERT demand" works fine.
So what is the solution to this problem? Do I switch to "TLS_REQCERT allow"? Or perhaps there's some way to debug why openldap is not seeing the internal CA file even though I've told it where to look?
Thanks for any pointers...
-Kurt