ldap not finding internal CA?

[Kurt Yoder <ktyopenldap@yoderhome.com>]

Hello all,

On Ubuntu, I have set up an LDAP server and am authenticating to it  
over SSL for my LDAP queries. I had it working on previous Ubuntu  
releases, but something seems to have changed in the newest release  
(maybe this: http://www.debian-administration.org/users/dkg/weblog/ 
42). I am having trouble figuring out exactly what is breaking.

Some background: I have set up my own CA and generated a certificate  
for it, which the LDAP server is using. Without specifying this CA, I  
get "self-signed certificate" errors when connecting:

root@host:# openssl s_client -connect my.ldap.server:636 -showcerts
CONNECTED(00000003)
<... trimmed certificate information ...>
verify error:num=19:self signed certificate in certificate chain
verify return:0
<... trimmed more certificate information ...>



If I specify the path to my internal CA file, I receive no errors:

root@host:# openssl s_client -connect my.ldap.server:636 -showcerts - 
CAfile /path/to/my/ca/file
CONNECTED(00000003)
<... trimmed certificate and internal CA information ...>
verify return:1
<... trimmed more certificate information ...>



That being said, I manually specified the path to my internal CA file  
in /etc/ldap/ldap.conf:

BASE    dc=my, dc=search, dc=base
URI     ldaps://my.ldap.server
TLS_CACERT      /path/to/my/ca/file
TLS_REQCERT     demand
TIMEOUT         4
NETWORK_TIMEOUT 2



This still allows no secure ldap queries:

root@host:# ldapsearch -x -d1
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP my.ldap.server:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying my.ldap.server.ip:636
ldap_pvt_connect: fd: 3 tm: 2 async: 0
ldap_ndelay_on: 3
ldap_int_poll: fd: 3 tm: 2
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_pvt_connect: 0
TLS: peer cert untrusted or revoked (0x102)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)




Just to prove that the above configuration is the one being used, if I  
switch the above configuration to "TLS_REQCERT allow", the ldap  
queries bypass this issue:

root@myhost:# ldapsearch -x -d1 > /dev/null
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP auth01.rdc.internal:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.1.41:636
ldap_pvt_connect: fd: 3 tm: 2 async: 0
ldap_ndelay_on: 3
ldap_int_poll: fd: 3 tm: 2
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_pvt_connect: 0
TLS: peer cert untrusted or revoked (0x102)
ldap_open_defconn: successful
<... trimmed rest of results ...>



My openldap is version 2.4.15 on Ubuntu Jaunty. Interestingly, I had  
the same message about self-signed certificates on previous Ubuntu  
versions, but querying ldap with "TLS_REQCERT demand" works fine.


So what is the solution to this problem? Do I switch to "TLS_REQCERT  
allow"? Or perhaps there's some way to debug why openldap is not  
seeing the internal CA file even though I've told it where to look?



Thanks for any pointers...

-Kurt