Bug 689456

Summary: ldap connects over TLS fail with self signed certificates
Product: [openSUSE] openSUSE 11.4 Reporter: Forgotten User wyufxo_kZK <forgotten_wyufxo_kZK>
Component: YaST2Assignee: Ralf Haferkamp <ralf>
Status: RESOLVED NORESPONSE QA Contact: Jiri Srain <jsrain>
Severity: Major    
Priority: P3 - Medium CC: jsuchome, peter, wolfgang
Version: Final   
Target Milestone: ---   
Hardware: x86   
OS: openSUSE 11.4   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Forgotten User wyufxo_kZK 2011-04-23 14:35:22 UTC 
User-Agent:       Mozilla/5.0 (X11; Linux i686; rv:2.0.0) Gecko/20100101 Firefox/4.0

Can not connect to ldap server over TLS when server uses self signed
certificate.

Ldap client accesses from 11.4 fail when using TLS.
receive the following error:error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed
certificate in certificate chain)

Reproducible: Always

Steps to Reproduce:
1.Generate CA certificate in yast
2.Generate server certificate and export them
4.Setup ldap server to use tls with server certificate
5.Setup ldap client, setting path to previously generated CA certificate in
Advanced section
Actual Results:  
TLS: can't connect: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed
certificate in certificate chain).


Expected Results:  
Successful connect to the ldap server
Comment 1 Wolfgang Rosenauer 2011-04-27 12:20:56 UTC 
Had the same issue. Peer certificate verification is by default enabled which causes this. Either the default setting should be changed or an option is needed in YaST since I expect it to work if I do everything using YaST (especially using a "common server certificate").
Comment 2 Wolfgang Rosenauer 2011-04-27 15:10:54 UTC 
rpm -q yast2-ldap-client
yast2-ldap-client-2.20.14.1-0.3.1.noarch
Comment 3 Jiří Suchomel 2011-04-27 19:12:42 UTC 
Could you attach /etc/ldap.conf and /etc/openldap/ldap.conf?

Ralf, is it known situation? What solution we offer?
Comment 4 Wolfgang Rosenauer 2011-04-27 19:40:51 UTC 
oxlive:/etc/ssl/certs # grep -Ev "^#|^$" /etc/ldap.conf
base    dc=ox,dc=rosenauer,dc=org
bind_policy     soft
pam_lookup_policy       yes
pam_password    exop
nss_initgroups_ignoreusers      root,ldap
nss_schema      rfc2307bis
nss_map_attribute       uniqueMember member
ssl     start_tls
uri     ldap://127.0.0.1
ldap_version    3
pam_filter      objectClass=posixAccount

oxlive:/etc/ssl/certs # grep -Ev "^#|^$" /etc/openldap/ldap.conf
host    localhost
base    dc=ox,dc=rosenauer,dc=org
Comment 5 Ralf Haferkamp 2011-05-12 13:31:24 UTC 
Hm, I am not able to reproduce this problem on my test system. When I am testing this yast2-ldap-client always correctly creates the correct tls_cacert* options in /etc/ldap.conf /etc/openldap/ldap.conf and /etc/sssd/sssd.conf. In your case they are clearly missing. Can you give some more detailed steps how you setup your system and when exactly you get that error message (I was using the steps from the initial  bug description)?

There is however a glitch in the sssd.conf and /etc/ldap.conf as created by yast2-ldap-client. It uses the IP Address 127.0.0.1 instead of "localhost" this will make certificate verification fail as well (unless you have 127.0.0.1 as a "Subject Alt Name" in your server certificate, which doesn't make any sense). But the failure message should be different to yours (something about not matching hostname and CN-Attribute).
Comment 6 Peter Martinovic 2011-05-15 15:04:26 UTC 
Hello,

it seems that the problem is that the server certificate key file generated by yast (/etc/ssl/servercerts/serverkey.pem) is not readable by the ldap user account.

To fix it I copied the files
/etc/ssl/certs/YaST-CA.pem
/etc/ssl/servercerts/servercert.pem
/etc/ssl/servercerts/serverkey.pem
to
/etc/openldap/certs/ca.pem
/etc/openldap/certs/servercert.pem
/etc/openldap/certs/serverkey.pem

and made them owned by root.ldap
chown root.ldap /etc/openldap/certs/*

and made them readable by ldap group
chmod g+r /etc/openldap/certs/*

I edited the following config files
(according to http://www.openldap.org/doc/admin23/tls.html#TLS Certificates)

/etc/openldap/ldap.conf:
tls_cacert      /etc/openldap/certs/ca.pem

/etc/openldap/slapd.conf:
TLSCACertificateFile /etc/openldap/certs/ca.pem
TLSCertificateFile /etc/openldap/certs/servercert.pem
TLSCertificateKeyFile /etc/openldap/certs/serverkey.pem

I also edited /etc/ldap.conf (is this necessary?):
tls_cacertfile /etc/openldap/certs/ca.cert

The LDAP TLS seems to work fine now (verified by Yast Ldap Browser).


Other possibility would be to set the user rights directly on /etc/ssl/servercerts/serverkey.pem but I did not consider it to be a cleaner solution.


Cheers,

Peter
Comment 7 Peter Martinovic 2011-05-15 17:34:17 UTC 
Ehm, I maybe was wrong :-) The other reason of course could be that the TLS* lines were not created in the conf files by yast.
Comment 8 Peter Martinovic 2011-05-15 18:32:36 UTC 
Sorry to spam this issue. I must confirm that I was wrong in my first comment. The problem is that the config lines were not created by yast, not the user rights. Please be so kind and delete my comments.
Comment 9 Ralf Haferkamp 2011-05-23 15:39:11 UTC 
Setting back to NEEDINFO to get the info requested in comment#5.
Comment 10 Ralf Haferkamp 2011-06-22 13:18:10 UTC 
The requested information was not provided. Closing as "NORESPONSE". Feel free to reopen when you can supply the requested information.