LDAP not working because of TLS certificate

Hi,

I am having a problem with LDAP after updating packages (UCS version is 5.0-9).
When I try logging to Web console I get message:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/univention/management/console/ldap.py", line 188, in getter
    raise KeyError()
KeyError

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 220, in _decorated
    return func(self, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 416, in __starttls
    self.lo.start_tls_s()
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1220, in start_tls_s
    res = self._apply_method_s(SimpleLDAPObject.start_tls_s,*args,**kwargs)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1197, in _apply_method_s
    return func(self,*args,**kwargs)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 864, in start_tls_s
    return self._ldap_call(self._l.start_tls_s)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 329, in _ldap_call
    reraise(exc_type, exc_value, exc_traceback)
  File "/usr/lib/python3/dist-packages/ldap/compat.py", line 44, in reraise
    raise exc_value
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 313, in _ldap_call
    result = func(*args,**kwargs)
ldap.CONNECT_ERROR: {'desc': 'Connect error', 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)'}

when I check LDAP server with:


ldapsearch -d 1 -x -LLL -H ldaps://dc1.storage.ztm.hr:7636 -D "uid=administrator,cn=users,dc=storage,dc=ztm,dc=hr" -W -b "cn=users,dc=example,dc=com" "(&(objectClass=inetOrgPerson)(uid=Administrator))"

I get:

ldapsearch -d 1 -x -LLL -H ldaps://dc1.storage.ztm.hr:7636 -D "uid=administrator,cn=users,dc=storage,dc=ztm,dc=hr" -W -b "cn=users,dc=example,dc=com" "(&(objectClass=inetOrgPerson)(uid=Administrator))"
ldap_url_parse_ext(ldaps://dc1.storage.ztm.hr:7636)
ldap_create
ldap_url_parse_ext(ldaps://dc1.storage.ztm.hr:7636/??base)
Enter LDAP Password: 
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP dc1.storage.ztm.hr:7636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.10.11.47:7636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect: 
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS trace: SSL_connect:TLSv1.3 read encrypted extensions
TLS certificate verification: depth: 1, err: 20, subject: /C=NL/O=GEANT Vereniging/CN=GEANT OV RSA CA 4, issuer: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS: can't connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I tried putting GEANT Certificate into /usr/local/share/ca-certificates and running update-ca-certificates but the problem still persists. Part of my /etc/ldap/slapd.conf regarding certificates looks like:

TLSCertificateFile      /etc/univention/ssl/dc1.storage.ztm.hr/ldap_cert.pem
TLSCertificateKeyFile   /etc/univention/ssl/dc1.storage.ztm.hr/private.key
TLSCACertificateFile    /usr/local/share/ca-certificates/Geant.crt
#TLSCACertificateFile   /etc/univention/ssl/ucsCA/CAcert.pem
TLSCipherSuite  HIGH:MEDIUM:!aNULL:!MD5:!RC4
TLSProtocolMin  3.1
TLSDHParamFile  /etc/ldap/dh_2048.pem

I run out of ideas, what i wrong with my configuration?

Check the /etc/ldap/ldap.conf. TLS_CACERT always is set to /etc/univention/ssl/ucsCA/CAcert.pem.

Probably you’ve edited the file manually and that change was overwritten during the update via UCR the template. Unfortunately there seems to be no supported way to change this.