is it necessary to specify both TLS_CACERT and TLS_CACERTDIR ?

or can the full path to ca cert be specified in TLS_CACERT? what does this mean? 16.2.2.1. TLS_CACERT <filename>

This is equivalent to the server's TLSCACertificateFile option. As noted in the TLS Configurationhttps://www.openldap.org/doc/admin24/tls.html#TLS%20Configuration section, a client typically may need to know about more CAs than a server, but otherwise the same considerations apply.

16.2.2.2. TLS_CACERTDIR <path>

This is equivalent to the server's TLSCACertificatePath option. The specified directory must be managed with the OpenSSL c_rehash utility as well. If using Mozilla NSS, <path> may contain a cert/key database.

________________________________ From: Howard Chu hyc@symas.com Sent: Friday, October 2, 2020 10:27 PM To: Siddharth Jain siddjain@live.com; openldap-technical@openldap.org openldap-technical@openldap.org Subject: Re: TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure

Quanah Gibson-Mount wrote:

--On Saturday, October 3, 2020 12:36 AM +0000 Siddharth Jain siddjain@live.com wrote:

...

But ldapsearch throws an error:

$ ldapsearch -d 1 -x -H ldaps://ldap.foo.com:636 ... -ZZ

This is not valid.

Either you:

(a) use ldap:// with -ZZ (startTLS)

OR

(b) use ldaps://

Both will result in a TLS secured connection if successful

But you absolutely CANNOT combine startTLS + ldaps://

Also, TLS_CERT/TLS_KEY are user-only directives. Re-read the ldap.conf(5) manpage.

-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

not able to get it to work. Things we have tried:

* removed the -ZZ option. * set TLS_CACERT to complete path and remove TLS_CACERTDIR from ldap.conf * also set above as environment variable * also tried some permutations like CACAERT equals just the filename whereas CACERTDIR equals directory containing the file

but result is the same.

ldap_url_parse_ext(ldaps://ldap.foo.com:636) ldap_create ldap_url_parse_ext(ldaps://ldap.foo.com:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.foo.com:636 ldap_new_socket: 5 ldap_prepare_socket: 5 ldap_connect_to_host: Trying 10.67.242.198:636 ldap_pvt_connect: fd: 5 tm: -1 async: 0 tlsst_thr_init() tlsst_init() tlsst_ctx_new() = 0x7fb530006f60 tlsst_ctx_init(0x7fb530006f60) tlsst_ciphers_get((null), TLS_CIPHER_SUITE) tlsst_session_new(0x7fb530006f60) tlsst_ciphers_set(76, TLS_CIPHER_SUITE) tlsst_ctx_ref(0x7fb530006f60) tlsst_session_new(0x7fb530006f60) = 0x7fb530008ef0 tlsst_sb_setup(0x7fb530008ef0) tlsst_ctx_ref(0x7fb530006f60) tlsst_session_connect(0x7fb530008ef0) tlsst_session_handshake() tlsst_socket_write(0x7fb530008548, 145) tlsst_socket_read(0x7fb530804800, 5) tlsst_socket_read(0x7fb530804805, 93) tlsst_socket_read(0x7fb530804800, 5) tlsst_socket_read(0x7fb530804805, 778) tlsst_socket_read(0x7fb530804800, 5) tlsst_socket_read(0x7fb530804805, 147) tlsst_socket_read(0x7fb530804800, 5) tlsst_socket_read(0x7fb530804805, 270) tlsst_socket_read(0x7fb530804800, 5) tlsst_socket_read(0x7fb530804805, 4) TLS: during handshake: peer cert is valid, or was ignored if verification disabled (-9841) TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure

and openssl s_client does work. ________________________________ From: Quanah Gibson-Mount quanah@symas.com Sent: Monday, October 5, 2020 10:24 AM To: Siddharth Jain siddjain@live.com; openldap-technical@openldap.org openldap-technical@openldap.org Subject: Re: TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure

--On Monday, October 5, 2020 1:58 AM +0000 Siddharth Jain siddjain@live.com wrote:

is it necessary to specify both

TLS_CACERT and

TLS_CACERTDIR ?

You use one or the other. The TLS_CACERT only takes a specific file. The TLS_CACERTDIR allows the usage of a directory of multiple CA files.

16.2.2.1. TLS_CACERT <filename>

This is equivalent to the server's TLSCACertificateFile option. As noted in the TLS Configuration section, a client typically may need to know about more CAs than a server, but otherwise the same considerations apply.

16.2.2.2. TLS_CACERTDIR <path>

This is equivalent to the server's TLSCACertificatePath option. The specified directory must be managed with the OpenSSL c_rehash utility as well. If using Mozilla NSS, <path> may contain a cert/key database.

The ldap.conf file uses one set of configuration parameter names, the slapd configuration uses a different set of configuration parameter names.

--Quanah

--

Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com

we have made some progress. On Linux machine we don't get that error but get another error instead. TLS certificate verification: Error, self signed certificate in certificate chain

It looks like it complains about a self-signed certificate but that certificate is that of the root CA and by definition that will be self-signed.

ldap_url_parse_ext(ldaps://ldap.foo.com:636) ldap_create ldap_url_parse_ext(ldaps://ldap.foo.com:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.foo.com:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.67.242.198:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLSMC: MozNSS compatibility interception begins. tlsmc_intercept_initialization: INFO: entry options follow: tlsmc_intercept_initialization: INFO: cacertdir = `/etc/openldap/certs' tlsmc_intercept_initialization: INFO: certfile = `/home/client/client_tls_cert.pem' tlsmc_intercept_initialization: INFO: keyfile = `/home/client/client_tls_key.pem' tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `/etc/openldap/certs'. tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `/etc/openldap/certs` prefix ``. tlsmc_open_nssdb: INFO: initialized MozNSS context. tlsmc_convert: INFO: trying with PEM dir = `/tmp/openldap-tlsmc-certs--25EC8C7E40D4FF3F7189B2C57C0F6A5C06BB35FD39F9391B99227E99F66E15B6'. tlsmc_convert: INFO: using the existing PEM dir. tlsmc_intercept_initialization: INFO: altered options follow: tlsmc_intercept_initialization: INFO: cacertdir = `/tmp/openldap-tlsmc-certs--25EC8C7E40D4FF3F7189B2C57C0F6A5C06BB35FD39F9391B99227E99F66E15B6/cacerts' tlsmc_intercept_initialization: INFO: certfile = `/tmp/openldap-tlsmc-certs--25EC8C7E40D4FF3F7189B2C57C0F6A5C06BB35FD39F9391B99227E99F66E15B6/cert.pem' tlsmc_intercept_initialization: INFO: keyfile = `/tmp/openldap-tlsmc-certs--25EC8C7E40D4FF3F7189B2C57C0F6A5C06BB35FD39F9391B99227E99F66E15B6/key.pem' tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only. TLSMC: MozNSS compatibility interception ends. TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 2, err: 19, subject: /C=US/ST=CA/L=San Francisco/O=foo/OU=HR/CN=Mickey Mouse, issuer: /C=US/ST=CA/L=San Francisco/O=foo/OU=HR/CN=Mickey Mouse TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in error TLS trace: SSL_connect:error in error TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain). ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

________________________________ From: Quanah Gibson-Mount quanah@symas.com Sent: Monday, October 5, 2020 11:10 AM To: Siddharth Jain siddjain@live.com; openldap-technical@openldap.org openldap-technical@openldap.org Subject: Re: TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure

--On Monday, October 5, 2020 6:48 PM +0000 Siddharth Jain siddjain@live.com wrote:

TLS: during handshake: peer cert is valid, or was ignored if verification disabled (-9841) TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure

This message comes from Apple's TLS library. This would indicate that you're using a hacked version of OpenLDAP. We cannot offer support for a hacked version of OpenLDAP. You will need to ask Apple for help on how to correctly configure TLS within their environment.

Regards, Quanah

--

Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com

On 10/5/20 8:10 PM, Quanah Gibson-Mount wrote:

--On Monday, October 5, 2020 6:48 PM +0000 Siddharth Jain siddjain@live.com wrote:

...

TLS: during handshake: peer cert is valid, or was ignored if verification disabled (-9841) TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure

This message comes from Apple's TLS library.  This would indicate that you're using a hacked version of OpenLDAP.  We cannot offer support for a hacked version of OpenLDAP.  You will need to ask Apple for help on how to correctly configure TLS within their environment.

To add to that:

AFAIK the patched libldap in MacOS simply uses the system-wide trust store and nothing else.

Furthermore using ldap_set_option() to set trusted CA certs file or directory leads to errors. This results in weird work-arounds like this:

https://gitlab.com/ae-dir/python-ldap0/-/blob/master/ldap0/ldapobject.py#L25...

Ciao, Michael.