Sent: Tue Jun 12 2012 12:08:52 GMT-0400 (EDT)|
From: Patrick Hemmer <firstname.lastname@example.org>
Subject: TLS issues when setting olcTLSCACertificateFile to the CA bundle
Whenever I set olcTLSCACertificateFile to /etc/pki/tls/certs/ca-bundle.crt LDAP clients get cert errors connecting to the server. But it works fine when I point olcTLSCACertificateFile at the actual server cert instead of the CA bundle.
So I found the cause of this issue. What is happening is that I have the chain cert bundled in with the server's cert. Apparently the chain cert MUST be placed in the file referenced by olcTLSCACertificateFile.
However this now introduces a problem. We are requiring client certificates for all connections, and we are using our own CA cert to sign the client certs, and then telling OpenLDAP to trust only our CA. However by having to add the chain cert to the CAs that OpenLDAP will recognize, other clients signed with that chain cert can now connect, not just clients signed with our CA.
OpenLDAP does not appear to have any method for specifying that a cert file should only be used as the chain cert of the server's certificate. While browsing around trying to understand exactly what was going on, I found other projects like apache httpd have configuration parameters ( SSLCertificateChainFile) to specify chain cert files for exactly this reason. Is there any particular reason OpenLDAP does not have this capability?