[Bug 241128] [NEW] SSL Certificates not recognized properly with certain LDAP configuration choices
Ben Klang
ben at alkaloid.net
Thu Jun 19 01:17:09 BST 2008
Public bug reported:
In my environment we have deployed an OpenLDAP server secured with SSL
and a private certificate authority. When installing the libnss-ldap or
libnss-ldapd packages the configurator prompts for several values which
it uses to configure the respective files. Unfortunately the resulting
configuration does not work.
There are several seemingly inter-related issues at play here:
* As mentioned in passing in bug #70146 there is a problem where SSL does not work with tls_checkpeer enabled when using the "uri" directive instead of the "host" directive to specify LDAP servers.
* To aggravate the above the LDAP configuration tool that runs when
installing libnss-ldap or libnss-ldapd uses the "uri" directive instead
of the "host" directive when writing a new ldap.conf or nss_ldap.conf.
Since the default value of tls_checkpeer is enabled the result is a
broken system.
* gnutls does not appear to support the "tls_cacertdir" directive though
this is not documented anywhere. Since libnss-ldap and libnss-ldapd
appear to be using gnutls this causes failures when trying to use the
tls_cacertdir directive.
Thus there is only one working combination of directives to use a fully functional and verified SSL connection:
host ldap.example.com
tls_checkpeer yes
tls_cacertfile /etc/ssl/certs/localca.pem
** Affects: libnss-ldap (Ubuntu)
Importance: Undecided
Status: New
--
SSL Certificates not recognized properly with certain LDAP configuration choices
https://bugs.launchpad.net/bugs/241128
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in ubuntu.
More information about the Ubuntu-server-bugs
mailing list