[Date Prev][Date Next] [Chronological] [Thread] [Top]

Phantom certificates?

To: openldap-technical@openldap.org
Subject: Phantom certificates?
From: "Andrew D. Arenson" <aarenson@iu.edu>
Date: Tue, 6 May 2014 11:26:47 -0400
Content-disposition: inline
User-agent: Mutt/1.5.20 (2009-12-10)

	I am trying to understand how a ldap server's certificate is
being verified in the absence of the appropriate CA certificates.  I
have openldap 2.4.23-34 installed.

     	If I set TLS_CACERTDIR to a dummy directory (like /home/aarenson),
ldapsearch tells me, as expected, that the server's certificate is
not verified. If I set TLS_CACERTDIR to a directory where I have placed
the file with my CA certificates, ldapsearch tells me, again as expected,
that the server's certificate _IS_ verified.

        The situation that is surprising me, though, is that if I set
TLS_CACERTDIR to /etc/openldap/certs, which has the cert8.db file, but
as far as I can tell has no actuall certificates in that database, ldap
search tells me, surprisingly, that the server's certificate _IS_ verified.

        How is openldap verifying my server's certificate?

      	When I look in /etc/openldap/certs for certificates, I find
none:

===========================================================================
=
[root@in-rtls-dev02 certs]# pwd
/etc/openldap/certs

[root@in-rtls-dev02 certs]# ls
cert8.db  key3.db  less  password  secmod.db

[root@in-rtls-dev02 certs]# certutil -d . -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
=
===========================================================================

	I have put a file with the appropriate chain of signing certificates
in /etc/pki/tls/certs as incommon_chain_2013.pem:

===========================================================================
=
[root@in-rtls-dev02 certs]# pwd
/etc/pki/tls/certs

[root@in-rtls-dev02 certs]# ls
3641f99d.0  Makefile             incommon-ie.pem          make-dummy-cert
9de8458f.0  ca-bundle.crt        incommon_chain_2013.pem  renew-dummy-cert
9ef5f911.0  ca-bundle.trust.crt  iu-bl-inter-ie.pem

=
===========================================================================

	Here's the system ldap configuration I'm using:

===========================================================================
=
[root@in-rtls-dev02 openldap]# pwd
/etc/openldap

[root@in-rtls-dev02 openldap]# cat ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

#TLS_REQCERT    allow
TLS_REQCERT     demand

#TLS_CACERTDIR  /etc/openldap/certs
#TLS_CACERTDIR  /etc/pki/tls/certs
TLS_CACERTDIR   /home/aarenson

=
===========================================================================

	Here is the user ldap configuration I'm using. It is all commented
out:

===========================================================================
=
[in-rtls-dev02.uits.iupui.edu:/home/aarenson] bash> cat .ldaprc
# Instruct client to try requesting a server's cert.
#TLS_REQCERT   allow
#TLS_REQCERT   demand

# Define location of CA Cert
#TLS_CACERTDIR /etc/openldap/certs
#TLS_CACERTDIR /etc/pki/tls/certs
#TLS_CACERTDIR /home/aarenson

=
===========================================================================

	Here are the three invocations of ldapsearch:

===========================================================================
=
[in-rtls-dev02.uits.iupui.edu:/home/aarenson] bash> ldapsearch -d 9 -D "aarenson@ads.iu.edu" -w "<PASSWORD>" -H ldaps://ads.iu.edu:636 -b "ou=Accounts,dc=ads,dc=iu,dc=edu" -s sub "(sAMAccountName=aarenson)"
...
TLS: certificate [CN=InCommon Server CA,OU=InCommon,O=Internet2,C=US] is not valid - error -8179:Peer's Certificate issuer is not recognized..
...

[in-rtls-dev02.uits.iupui.edu:/home/aarenson] bash> LDAPTLS_CACERTDIR=/etc/pki/tls/certs LDAPTLS_REQCERT=demand ldapsearch -d 9 -D "aarenson@ads.iu.edu" -w "<PASSWORD" -H ldaps://ads.iu.edu:636 -b "ou=Accounts,dc=ads,dc=iu,dc=edu" -s sub "(sAMAccountName=aarenson)"
...
distinguishedName: CN=aarenson,OU=Accounts,DC=ads,DC=iu,DC=edu
...

[in-rtls-dev02.uits.iupui.edu:/home/aarenson] bash> LDAPTLS_CACERTDIR=/etc/openldap/certs LDAPTLS_REQCERT=demand ldapsearch -d 9 -D "aarenson@ads.iu.edu" -w "<PASSWORD>" -H ldaps://ads.iu.edu:636 -b "ou=Accounts,dc=ads,dc=iu,dc=edu" -s sub "(sAMAccountName=aarenson)"
...
distinguishedName: CN=aarenson,OU=Accounts,DC=ads,DC=iu,DC=edu
...

=
===========================================================================

Andy

-- 
Andrew D. Arenson                                      | aarenson (@) iu.edu
Advanced Biomedical IT Core, Research Technologies, UITS  | W (317) 278-1208
RT is a PTI Cyberinfrastructure & Service Center          | C (317) 679-4669
Indiana University Purdue University Indianapolis         | F (317) 278-1852

Follow-Ups:
- Re: Phantom certificates?
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Replication for small-bandwidth, mobile systems
Next by Date: Re: deploying password policy module
Index(es):
- Chronological
- Thread