Hi,
I am having a problem with LDAP after updating packages (UCS version is 5.0-9).
When I try logging to Web console I get message:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/univention/management/console/ldap.py", line 188, in getter
raise KeyError()
KeyError
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/univention/uldap.py", line 220, in _decorated
return func(self, *args, **kwargs)
File "/usr/lib/python3/dist-packages/univention/uldap.py", line 416, in __starttls
self.lo.start_tls_s()
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1220, in start_tls_s
res = self._apply_method_s(SimpleLDAPObject.start_tls_s,*args,**kwargs)
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1197, in _apply_method_s
return func(self,*args,**kwargs)
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 864, in start_tls_s
return self._ldap_call(self._l.start_tls_s)
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 329, in _ldap_call
reraise(exc_type, exc_value, exc_traceback)
File "/usr/lib/python3/dist-packages/ldap/compat.py", line 44, in reraise
raise exc_value
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 313, in _ldap_call
result = func(*args,**kwargs)
ldap.CONNECT_ERROR: {'desc': 'Connect error', 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)'}
when I check LDAP server with:
ldapsearch -d 1 -x -LLL -H ldaps://dc1.storage.ztm.hr:7636 -D "uid=administrator,cn=users,dc=storage,dc=ztm,dc=hr" -W -b "cn=users,dc=example,dc=com" "(&(objectClass=inetOrgPerson)(uid=Administrator))"
I get:
ldapsearch -d 1 -x -LLL -H ldaps://dc1.storage.ztm.hr:7636 -D "uid=administrator,cn=users,dc=storage,dc=ztm,dc=hr" -W -b "cn=users,dc=example,dc=com" "(&(objectClass=inetOrgPerson)(uid=Administrator))"
ldap_url_parse_ext(ldaps://dc1.storage.ztm.hr:7636)
ldap_create
ldap_url_parse_ext(ldaps://dc1.storage.ztm.hr:7636/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP dc1.storage.ztm.hr:7636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.10.11.47:7636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS trace: SSL_connect:TLSv1.3 read encrypted extensions
TLS certificate verification: depth: 1, err: 20, subject: /C=NL/O=GEANT Vereniging/CN=GEANT OV RSA CA 4, issuer: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS: can't connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
I tried putting GEANT Certificate into /usr/local/share/ca-certificates and running update-ca-certificates but the problem still persists. Part of my /etc/ldap/slapd.conf regarding certificates looks like:
TLSCertificateFile /etc/univention/ssl/dc1.storage.ztm.hr/ldap_cert.pem
TLSCertificateKeyFile /etc/univention/ssl/dc1.storage.ztm.hr/private.key
TLSCACertificateFile /usr/local/share/ca-certificates/Geant.crt
#TLSCACertificateFile /etc/univention/ssl/ucsCA/CAcert.pem
TLSCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4
TLSProtocolMin 3.1
TLSDHParamFile /etc/ldap/dh_2048.pem
I run out of ideas, what i wrong with my configuration?