LDAP StartTLS - change hostname and certificate


#1

In UCS LDAP is configured to use the local certificate for StartTLS, based on the root certificate of the UCS.

We have some external servers that I would like to connect to LDAP StartTLS.
To achieve this

  • I configured the firewall to forward the LDAP queries to our UCS
  • as a public FQDN is used, I changed the certificate information in /etc/ldap/slapd.conf. The certificate belonging to the public FQDN is used.

LDAP StartTLS is now working fine for external queries, unfortunately I broke the internal LDAP system of UCS. I tried to fix this by changing the following variables:

ldap/master
ldap/server/name

After this change, some policies are not met anymore.

Is it possible to change hostname and certificate used for LDAP StartTLS?


#2

While it is possible to configure a different certificate for the Webserver it appears to be a harder task to replace the UCS-CA for other services. There are too many dependencies to resolve.
Instead of changing the certificate for LDAP I would rather try to configure the client to accept this self-signed cert.


#3

Hi Ahrnke,

Thanks for your reply. The first challenge is that the client is not on our private network. Moving the server would be a solution.

Another challenge is that my colleagues are quite sceptical about using the Root Certificate of the UCS. They think - in general - that their bank account is not safe anymore after installing the root certificate.


#4

The creation of the UCS-CA is a transparent process which is described in Renewing the complete SSL chain. All sources are available.
I am tempted to have more trust in certificates derived from this CA than to some other certs in the pre-installed cert store of the operating system.


#5

Are they really colleagues in meaning from the same company? If yes, I hope they have also removed all the other CAs that are shipped by default.