On 7/27/2016 11:19 PM, Ulrich Windl wrote:
Nat Sincheler <fai1107@macrotex.net> schrieb am 26.07.2016 um 17:20 inNachricht <991f77f9-fd05-eb9b-7f07-f350c4a7bc68@macrotex.net>:On 7/25/2016 11:24 PM, Ulrich Windl wrote:Nat Sincheler <fai1107@macrotex.net> schrieb am 25.07.2016 um 19:06 inNachricht <c19c2a3a-3c90-5baa-43c7-800b050ea5b7@macrotex.net>:We have an OpenLDAP server that is listening on port 636 over ldaps. When I run openssl s_client -showcerts -connect ldap-server:636 I only see the host certificate. The intermediate and root certificates do *not* come through.If I di that on one of outr servers, I get: Root CA Intermediate CA Server Certificate ... New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bitFor this server I have in the file slapd.d/cn=config.ldif the setting olcTLSCACertificatePath: /etc/ssl/certsHi! Here it works with these settings: olcTLSCACertificatePath: /etc/ssl/certs olcTLSCertificateFile: /etc/ssl/servercerts/slapd.pem olcTLSCertificateKeyFile: /etc/ssl/private/slapd.key Could it be a permissions problem? Did you try to check the certificatechain with openssl (preferrable as LDAP user)? When I run the openssl s_client command I get no errors, but I also get no intermediate or root certificates sent. I see this in the output: "No client certificate CA names sent".Hi! To me it looks like a problem with your certificates. Try to verify them using openssl, like this: openssl verify -CApath /etc/ssl/certs -verbose /etc/ssl/servercerts/slapd.pem /etc/ssl/servercerts/slapd.pem: OK
% grep -R Certificate *.ldif olcTLSCACertificatePath: /etc/ssl/certs olcTLSCertificateFile: /etc/ssl/certs/server.pem olcTLSCertificateKeyFile: /etc/ssl/private/server.key% directory2:/etc/ldap# openssl verify -CApath /etc/ssl/certs -verbose /etc/ssl/certs/server.pem
/etc/ssl/certs/server.pem: OKSo, the openssl command line can find the certificate chain. Why can't openldap?
Regards, UlrichIt appears that OpenLDAP is not sending the intermediate or root certificates. However, if I put all the intermediate and root certificates into a single file and point olcTLSCACertificateFile at this file, those intermediate certificates _are_ sent. So, it appears that olcTLSCACertificateFile sends the certificates but but olcTLSCACertificatePath does not. Am I misunderstanding the purpose olcTLSCACertificatePath? Thanks.Regards, UlrichI checked and all the intermediate and root certificates are in /etc/ssl/certs soft-linked via the usual OpenSSL rehash hash, e.g., lrwxrwxrwx 1 root root 42 Jul 14 19:03 b4261fc2.0 -> /etc/ssl/certs/incommon-usertrust-2024.pem Any idea why the intermediate and root certificates do not get sent to the LDAPS client? Is there something in the LDAP log that might give me a clue as to what is going on?