Problem: adsearch is not working anymore

Problem:

univention-adsearch is not working anymore

univention-adsearch cn=cscheini
Traceback (most recent call last):
  File "/usr/sbin/univention-adsearch", line 198, in <module>
    lo.start_tls_s()
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 609, in start_tls_s
    return self._ldap_call(self._l.start_tls_s)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
ldap.CONNECT_ERROR: {'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get issuer certificate)', 'desc': 'Connect error'}

Investigation:

What does the AD-Conector different in estalishing connection than adsearch?

univention-adsearch does:

root@ucsdc1:~# LDAPTLS_CACERT="$connector_ad_ldap_certificate" ldapsearch -x -ZZZ -b "$connector_ad_ldap_base" -h "$connector_ad_ldap_host" -D "$connector_ad_ldap_binddn" -w $(<$connector_ad_ldap_bindpw) -s base
ldap_start_tls: Connect error (-11)
        additional info: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get issuer certificate)

The AD Connector must pack the CA certificate into a file with the UCS root certificate. The background is that there can only be one CA certificate in a Python LDAP context: Bug 17768 – SSL-Synchronisation zwischen UCS und AD

root@ucsdc1:~# LDAPTLS_CACERT="/var/cache/univention-ad-connector/CAcert-connector.pem" ldapsearch -x -ZZZ -b "$connector_ad_ldap_base" -h "$connector_ad_ldap_host" -D "$connector_ad_ldap_binddn" -w $(<$connector_ad_ldap_bindpw) -s base
ldap_bind: Invalid credentials (49)
        additional info: 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580

If you use this certificate, the connection works. Even if you only use our CAcert, the query works.

And if you only use the UCS CA certificate, then it works. Looks like something is configured incorrectly somehow

root@ucsdc1:~# LDAPTLS_CACERT="/etc/univention/ssl/ucsCA/CAcert.pem" ldapsearch -x -ZZZ -b "$connector_ad_ldap_base" -h "$connector_ad_ldap_host" -D "$connector_ad_ldap_binddn" -w $(<$connector_ad_ldap_bindpw) -s base
ldap_bind: Invalid credentials (49)
        additional info: 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580
root@ucsdc1:~#

→ Don’t be surprised about the invalid credentials, the AD Connector is configured there in memory mode, so you can’t simply pass the variables 1:1 to ldapsearch.

The assumption is that the SubCA from the AD server signed by our CA is no longer sufficient, as the certificate check has been improved.
You have signed the certificate or the CA from the AD with our CA in your environment, right?

Solution:

root@ucsdc1:~# diff -Nur /usr/sbin/univention-adsearch univention-adsearch
--- /usr/sbin/univention-adsearch       2018-06-15 12:21:37.000000000 +0200
+++ univention-adsearch 2018-07-05 21:39:11.084541168 +0200
@@ -184,7 +184,8 @@
 if login_pw[-1] == '\n':
        login_pw = login_pw[:-1]
 
-ca_file = configRegistry.get('%s/ad/ldap/certificate' % CONFIGBASENAME)
+# ca_file = configRegistry.get('%s/ad/ldap/certificate' % CONFIGBASENAME)
+ca_file = '/var/cache/univention-ad-connector/CAcert-connector.pem'
 
 start_tls = 2 if configRegistry.is_true('%s/ad/ldap/ssl' % CONFIGBASENAME, True) else 0
 if start_tls and ca_file:
Mastodon