I'm having difficulty making tools like ldapsearch accept SSL certificates signed by a
Windows domain controller, even when the trust chain seems good. The problem extends to
PHP, which uses openldap (PHP debug logging shows the exact same errors).
We manually trusted the CA certifcate of the domain controller:
cp -v /tmp/PDC02CA.crt /usr/local/share/ca-certificates
OpenSSL approves it (it doesn't aprove without the previous step):
# openssl verify -verify_hostname PDC01.city.cmpny.local
openssl s_client -verify_hostname PDC01.city.cmpny.local -connect
depth=1 DC = local, DC = cmpny, DC = city, CN = city-PDC02-CA
i:DC = local, DC = cmpny, DC = city, CN = city-PDC02-CA
But ldapsearch just will not approve it:
$ ldapsearch -d1 -H ldaps://PDC01.city.cmpny.local:3269
ldap_connect_to_host: TCP PDC01.city.cmpny.local:3269
ldap_connect_to_host: Trying 10.105.10.10:3269
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
TLS: peer cert untrusted or revoked (0x102)
TLS: can't connect: (unknown error code).
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: (unknown error code)
Running 'strace' shows '/etc/ssl/certs/ca-certificates.crt' is properly
read. Doing all the standard tricks with 'LDAPTLS_CACERT, TLS_CACERT', pointing
directly to '/tmp/PDC02CA.crt', editing '/etc/ldap/ldap.conf' with all
possible permutations. Nothing works, except 'TLS_REQCERT never'.
Other certificates are accepted when testing public servers. They are just https, but for
SSL tests that doesn't matter. Like:
ldapsearch -d1 -H ldaps://www.google.com:443
ldapsearch -d1 -H ldaps://www.amazon.co.uk:443
The latter only has the correct domain name in the 'subject alternate name', not
the common name. I theorized that maybe the SAN was a cause, but this test result, and
, show that should work fine.
If I deliberately try to create a hostname mismatch, it says: 'TLS: hostname
) does not match common name in certificate (www.amazon.co.uk)'
different from my 'peer cert untrusted or revoked'.
Could this be a bug (in GnuTLS)?
ldapsearch: @(#) $OpenLDAP: ldapsearch (Ubuntu) (Feb 18 2021 14:22:42)
Ubuntu: 18.04.5 LTS