LDAPS (Can't contact LDAP server ) trusting CA-Cert on ubuntu

somehow Univention UCS blocks my new server which I integrated via LDAP (it connects every 5 minutes to synch my users).

a simple ldapsearch won’t work from this machine since it’s blocked. I can use the same command on another host successfully.

restarting the ldap service did nothing:
/etc/init.d/slapd restart

so… is there a way to “whitelist” my host?

it works on one joined UCS-System (ldapsearch-command).

my problem is somehow “client”-side as it’s beaus eof the ssl certificate which somehow just worked before afte rimporting the ca-cert like this:
chmod 644 /usr/local/share/ca-certificates/ucs-root-ca.crt && update-ca-certificates

someone has an idea what i can do to trust the cert?

Have you tried to test the connection and trust with openssl?

openssl s_client -connect your.server.name:7636

Did the update-ca-certificates report that a certificate was added? If not, file extension or file content format (PEM, DER) might be wrong.
There are some conditions to be met, which I don’t remember. So search for them online.

BR,
Jörn

1 Like

hey there, yes the import-command was successful and openssl tells me:
Verification: OK

what I think may be wrong is this: /etc/ldap/ldap.conf:

TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

but I don’t really want to change it… I would rather try to get my cert included there using an official way.

I can also find the imported CA there, so it shouldn’t be a wrong config in this file.

/etc/ssl/certs/ca-certificates.crt

also openssl trusts it and I can see it here:
/etc/ssl/certs/ucs-root-ca.pem

What is the client program on your server trying to connect to the UCS LDAP?

ldapsearch for testing
finally it’s ldap from python
both are running successfully without encryption but with they both can’t connect

UCS server has a firewall but LDAP ports 7389 and 7636 are exposed by default.
If openssl command can connect and verifies there should be no problem on the server side.

What does your ldapsearch command look like?

ldapsearch -H ldaps://portal.domain.tld:7636 -b "dc=domain,dc=tld" -D "uid=mysynchuzer,CN=Users,DC=domain,DC=tld" -x -w MYPW

this command works when I run it from a joined UCS-system.

Try the openssl s_client command with -CAfile /etc/ssl/certs/ca-certificates.crt option.
Is that successful?

BTW, what is the OS and version of the LDAP client?

OS is ubuntu 20.04

LDAP-Search:

ldapsearch: @(#) $OpenLDAP: ldapsearch  (Ubuntu) (Feb 18 2021 14:22:15) $
        Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
        (LDAP library: OpenLDAP 20449)

python-ldap==3.3.1 in final product

the openssl tells me this:

140568237548864:error:0D07209B:asn1 encoding routines:ASN1_get_object:too long:../crypto/asn1/asn1_lib.c:91:
140568237548864:error:0D068066:asn1 encoding routines:asn1_check_tlen:bad object header:../crypto/asn1/tasn_dec.c:1137:
140568237548864:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:572:
140568237548864:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:614:
140568237548864:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:646:Field=subject, Type=X509_CINF
140568237548864:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:646:Field=cert_info, Type=X509
140568237548864:error:0907400D:PEM routines:PEM_X509_INFO_read_bio:ASN1 lib:../crypto/pem/pem_info.c:196:
140568237548864:error:0B084009:x509 certificate routines:X509_load_cert_crl_file:PEM lib:../crypto/x509/by_file.c:205:

a little update:
I just rebuilt the ca-store using:

sudo update-ca-certificates -f

now it results in:
ile: No such file or directory

@jolentes where did you find this option works for ldapsearch? “-CAfile”? when I use -CA (without *file) I get the same error as without.

openssl with -CAfile works now without error and tells me “Verification: OK”

finally I found the issue…
there is a per-user config too… not only the global one:
so to fix it for me was removing all the settings inside my users home-folder:
nano .ldaprc

using:

export LDAPTLS_CACERT=/etc/ssl/certs/ca-certificates.crt

would have worked, just to let you know :slight_smile: