I am trying to understand how a ldap server's certificate is being verified in the absence of the appropriate CA certificates. I have openldap 2.4.23-34 installed.
If I set TLS_CACERTDIR to a dummy directory (like /home/aarenson), ldapsearch tells me, as expected, that the server's certificate is not verified. If I set TLS_CACERTDIR to a directory where I have placed the file with my CA certificates, ldapsearch tells me, again as expected, that the server's certificate _IS_ verified.
The situation that is surprising me, though, is that if I set TLS_CACERTDIR to /etc/openldap/certs, which has the cert8.db file, but as far as I can tell has no actuall certificates in that database, ldap search tells me, surprisingly, that the server's certificate _IS_ verified.
How is openldap verifying my server's certificate?
When I look in /etc/openldap/certs for certificates, I find none:
=========================================================================== = [root@in-rtls-dev02 certs]# pwd /etc/openldap/certs
[root@in-rtls-dev02 certs]# ls cert8.db key3.db less password secmod.db
[root@in-rtls-dev02 certs]# certutil -d . -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI = ===========================================================================
I have put a file with the appropriate chain of signing certificates in /etc/pki/tls/certs as incommon_chain_2013.pem:
=========================================================================== = [root@in-rtls-dev02 certs]# pwd /etc/pki/tls/certs
[root@in-rtls-dev02 certs]# ls 3641f99d.0 Makefile incommon-ie.pem make-dummy-cert 9de8458f.0 ca-bundle.crt incommon_chain_2013.pem renew-dummy-cert 9ef5f911.0 ca-bundle.trust.crt iu-bl-inter-ie.pem
= ===========================================================================
Here's the system ldap configuration I'm using:
=========================================================================== = [root@in-rtls-dev02 openldap]# pwd /etc/openldap
[root@in-rtls-dev02 openldap]# cat ldap.conf # # LDAP Defaults #
# See ldap.conf(5) for details # This file should be world readable but not world writable.
#BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12 #TIMELIMIT 15 #DEREF never
#TLS_REQCERT allow TLS_REQCERT demand
#TLS_CACERTDIR /etc/openldap/certs #TLS_CACERTDIR /etc/pki/tls/certs TLS_CACERTDIR /home/aarenson
= ===========================================================================
Here is the user ldap configuration I'm using. It is all commented out:
=========================================================================== = [in-rtls-dev02.uits.iupui.edu:/home/aarenson] bash> cat .ldaprc # Instruct client to try requesting a server's cert. #TLS_REQCERT allow #TLS_REQCERT demand
# Define location of CA Cert #TLS_CACERTDIR /etc/openldap/certs #TLS_CACERTDIR /etc/pki/tls/certs #TLS_CACERTDIR /home/aarenson
= ===========================================================================
Here are the three invocations of ldapsearch:
=========================================================================== = [in-rtls-dev02.uits.iupui.edu:/home/aarenson] bash> ldapsearch -d 9 -D "aarenson@ads.iu.edu" -w "<PASSWORD>" -H ldaps://ads.iu.edu:636 -b "ou=Accounts,dc=ads,dc=iu,dc=edu" -s sub "(sAMAccountName=aarenson)" ... TLS: certificate [CN=InCommon Server CA,OU=InCommon,O=Internet2,C=US] is not valid - error -8179:Peer's Certificate issuer is not recognized.. ...
[in-rtls-dev02.uits.iupui.edu:/home/aarenson] bash> LDAPTLS_CACERTDIR=/etc/pki/tls/certs LDAPTLS_REQCERT=demand ldapsearch -d 9 -D "aarenson@ads.iu.edu" -w "<PASSWORD" -H ldaps://ads.iu.edu:636 -b "ou=Accounts,dc=ads,dc=iu,dc=edu" -s sub "(sAMAccountName=aarenson)" ... distinguishedName: CN=aarenson,OU=Accounts,DC=ads,DC=iu,DC=edu ...
[in-rtls-dev02.uits.iupui.edu:/home/aarenson] bash> LDAPTLS_CACERTDIR=/etc/openldap/certs LDAPTLS_REQCERT=demand ldapsearch -d 9 -D "aarenson@ads.iu.edu" -w "<PASSWORD>" -H ldaps://ads.iu.edu:636 -b "ou=Accounts,dc=ads,dc=iu,dc=edu" -s sub "(sAMAccountName=aarenson)" ... distinguishedName: CN=aarenson,OU=Accounts,DC=ads,DC=iu,DC=edu ...
= ===========================================================================
Andy
--On May 6, 2014 at 11:26:47 AM -0400 "Andrew D. Arenson" aarenson@iu.edu wrote:
I am trying to understand how a ldap server's certificate is being verified in the absence of the appropriate CA certificates. I have openldap 2.4.23-34 installed.
So I'm guessing you are using RHEL's utterly broken packages for OpenLDAP. I would advise you to get a real, functioning OpenLDAP build, or build OpenLDAP yourself. You can obtain functional builds from Symas or the LTB project.
--Quanah
On Tue, May 06, 2014 at 09:45:17PM -0700, Quanah Gibson-Mount wrote:
--On May 6, 2014 at 11:26:47 AM -0400 "Andrew D. Arenson" aarenson@iu.edu wrote:
I am trying to understand how a ldap server's certificate is being verified in the absence of the appropriate CA certificates. I have openldap 2.4.23-34 installed.
So I'm guessing you are using RHEL's utterly broken packages for OpenLDAP. I would advise you to get a real, functioning OpenLDAP build, or build OpenLDAP yourself. You can obtain functional builds from Symas or the LTB project.
It is, indeed, RHEL. Have you got a pointer to info about how they are broken?
Andy
--On May 7, 2014 at 4:14:36 PM -0400 "Andrew D. Arenson" aarenson@iu.edu wrote:
On Tue, May 06, 2014 at 09:45:17PM -0700, Quanah Gibson-Mount wrote:
--On May 6, 2014 at 11:26:47 AM -0400 "Andrew D. Arenson" aarenson@iu.edu wrote:
I am trying to understand how a ldap server's certificate is being verified in the absence of the appropriate CA certificates. I have openldap 2.4.23-34 installed.
So I'm guessing you are using RHEL's utterly broken packages for OpenLDAP. I would advise you to get a real, functioning OpenLDAP build, or build OpenLDAP yourself. You can obtain functional builds from Symas or the LTB project.
It is, indeed, RHEL. Have you got a pointer to info about howthey are broken?
They link to a non-standard SSL implementation they linked in themselves, for one, that has serious issues (You can search on that if you like) They ship 2.4.23 which is *years* out of date and has many numerous bugs fixed since then (See the change log on the OpenLDAP website)
It should never be used for a production installation.
--Quanah
On Wed, May 07, 2014 at 02:22:07PM -0700, Quanah Gibson-Mount wrote:
--On May 7, 2014 at 4:14:36 PM -0400 "Andrew D. Arenson" aarenson@iu.edu wrote:
On Tue, May 06, 2014 at 09:45:17PM -0700, Quanah Gibson-Mount wrote:
--On May 6, 2014 at 11:26:47 AM -0400 "Andrew D. Arenson" aarenson@iu.edu wrote:
I am trying to understand how a ldap server's certificate is being verified in the absence of the appropriate CA certificates. I have openldap 2.4.23-34 installed.
So I'm guessing you are using RHEL's utterly broken packages for OpenLDAP. I would advise you to get a real, functioning OpenLDAP build, or build OpenLDAP yourself. You can obtain functional builds from Symas or the LTB project.
It is, indeed, RHEL. Have you got a pointer to info about howthey are broken?
They link to a non-standard SSL implementation they linked in themselves, for one, that has serious issues (You can search on that if you like) They ship 2.4.23 which is *years* out of date and has many numerous bugs fixed since then (See the change log on the OpenLDAP website)
It should never be used for a production installation.
Thank you.
The change log shows that 2.4.23 is from the middle of 2010. Ugh.
I see that RHEL links to something called NSS. If you have handy links to documentation/info about the problems with NSS, I would love to see them. I'll be looking, but if you already know where to look, I'd certainly appreciate it.
Andy
--On May 9, 2014 at 9:21:00 AM -0400 "Andrew D. Arenson" aarenson@iu.edu wrote:
It should never be used for a production installation.
Thank you. The change log shows that 2.4.23 is from the middle of 2010. Ugh. I see that RHEL links to something called NSS. If youhave handy links to documentation/info about the problems with NSS, I would love to see them. I'll be looking, but if you already know where to look, I'd certainly appreciate it.
http://www.openldap.org/lists/openldap-devel/201204/msg00019.html
--Quanah
openldap-technical@openldap.org
-
Andrew D. Arenson -
Quanah Gibson-Mount