Bug 629549

Summary: ldap connects over TLS fail with self signed certificates
Product: [openSUSE] openSUSE 11.3 Reporter: Forgotten User 7bFuVpfALd <forgotten_7bFuVpfALd>
Component: NetworkAssignee: Jiří Suchomel <jsuchome>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: lnussel, m407, ralf
Version: Final   
Target Milestone: ---   
Hardware: x86-64   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Forgotten User 7bFuVpfALd 2010-08-09 13:45:52 UTC 
User-Agent:       Mozilla/5.0 (compatible; Konqueror/4.4; Linux) KHTML/4.4.4 (like Gecko) SUSE

Can not connect to ldap server over TLS when server uses self signed certificate.

Ldap client accesses from 11.3 fail when using TLS.
For example:
ldapsearch -ZZ -h my.ldap.host.domain
ldap_start_tls: Connect error (-11)
        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)

The error message is probably referring to the CA certificate which resides in /etc/ssl/certs/myown-ca.cert.pem on server side and which is self signed.

Other ldap client services like Yast-Ldap-Browser or Yast-User-Management give the same error.

This problem does not occur with 11.2

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Comment 1 Forgotten User 7bFuVpfALd 2010-08-09 15:45:32 UTC 
Seems to me it boils down to yast not passing the necessary config option to openldap.

Adding

TLS_CACERTDIR /etc/openldap/cacerts/

to

/etc/openldap/ldap.conf

fixes the problem.
Comment 2 Jiří Suchomel 2010-08-10 08:41:38 UTC 
And did you set TLS_CACERTDIR in YaST LDAP module?
Comment 3 Forgotten User 7bFuVpfALd 2010-08-10 10:11:05 UTC 
(In reply to comment #2)
> And did you set TLS_CACERTDIR in YaST LDAP module?

I don't understand your question exactly. 
I assume you are referring to the Yast 'LDAP Client' module. There is a field called 'Certificate Directory' in 'Advanced Configuration'. The field has the value '/etc/openldap/cacerts'. This is the default value of that field, i have not changed it.
Comment 4 Jiří Suchomel 2010-08-10 10:22:51 UTC 
Yes, that's what I asked for. This means YaST should save that value to /etc/ldap.conf as tls_cacertdir. But you say you need to have it in /etc/openldap/ldap.conf as well, right?


Ralf?
Comment 5 Forgotten User 7bFuVpfALd 2010-08-10 11:59:45 UTC 
(In reply to comment #4)
> Yes, that's what I asked for. This means YaST should save that value to
> /etc/ldap.conf as tls_cacertdir.

Yast does: tls_cacertdir   /etc/openldap/cacerts/  is present in my /etc/ldap.conf

> But you say you need to have it in
> /etc/openldap/ldap.conf as well, right?

Right. *11.3* seems to need it in /etc/openldap/ldap.conf as well. Maybe this is related to openssl 1.0.0 in 11.3.

You can test this yourself on a 11,3 standard intallation. Configure a LDAP server with TLS enabled using Yast's 'LDAP Server' module than try to access your server with the 'LDAP Browser' module.
Comment 6 Ralf Haferkamp 2010-08-17 10:13:33 UTC 
(In reply to comment #4)
> Yes, that's what I asked for. This means YaST should save that value to
> /etc/ldap.conf as tls_cacertdir. But you say you need to have it in
> /etc/openldap/ldap.conf as well, right?
> 
> Ralf?
Yes the option should be written to /etc/openldap/ldap.conf as "TLS_CACERTDIR" as well. So that the OpenLDAP commandline tools work as expected.
Comment 7 Ralf Haferkamp 2010-08-17 10:17:32 UTC 
(In reply to comment #1)
> Adding
> 
> TLS_CACERTDIR /etc/openldap/cacerts/
> 
> to
> 
> /etc/openldap/ldap.conf
> 
> fixes the problem.

I wonder how adding "TLS_CACERTDIR /etc/openldap/cacerts/" can fix the problem if you certificate resides in "/etc/ssl/certs/myown-ca.cert.pem" (as you mention in the bug description). Is that really the case?
Comment 8 Forgotten User 7bFuVpfALd 2010-08-17 10:30:46 UTC 
> I wonder how adding "TLS_CACERTDIR /etc/openldap/cacerts/" can fix the problem
> if you certificate resides in "/etc/ssl/certs/myown-ca.cert.pem" (as you
> mention in the bug description). Is that really the case?

"/etc/ssl/certs/myown-ca.cert.pem" is where the CA cert resides on server side. I don't think the location on server side does actually matter, as this bug turned out to be solely a client problem.
Comment 9 Jiří Suchomel 2010-08-17 14:01:31 UTC 
(In reply to comment #6)

> Yes the option should be written to /etc/openldap/ldap.conf as "TLS_CACERTDIR"
> as well. So that the OpenLDAP commandline tools work as expected.

So, is it the same for TLS_CACERFILE vs. tls_cacertfile in /etc/ldap.conf?

Or is the key name different?
Comment 10 Ralf Haferkamp 2010-08-17 14:42:49 UTC 
(In reply to comment #9)
> So, is it the same for TLS_CACERFILE vs. tls_cacertfile in /etc/ldap.conf?
> 
> Or is the key name different?
It's different *sigh*. That option is named "TLS_CACERT" in /etc/openldap/ldap.conf
Comment 11 Jiří Suchomel 2010-08-18 07:46:47 UTC 
Fixed in svn and Factory
Comment 12 Андрей Кувшинов 2010-10-18 17:24:45 UTC 
*** Bug 645194 has been marked as a duplicate of this bug. ***
Comment 13 Bernhard Wiedemann 2016-04-15 12:56:55 UTC 
This is an autogenerated message for OBS integration:
This bug (629549) was mentioned in
https://build.opensuse.org/request/show/45746 Factory / yast2-ldap-client