Bug 1569709

Summary: After upgrading to RHEL 7.5 sssd/ldap authentication fails when using ldaps/ssl
Product: Red Hat Enterprise Linux 7 Reporter: aheverle
Component: openldapAssignee: Matus Honek <mhonek>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: high    
Version: 7.5CC: apeddire, cobrown, jvilicic, mhonek, paul.whitney, pkis, tmihinto, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-07 15:31:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description aheverle 2018-04-19 20:51:09 UTC 
Description of problem:

Upgrading to RHEL 7.5 caused the cert not be found in the cert path specified in sssd.conf.

In debug logs, you see the cert failing

(Tue Apr 17 11:49:31 2018) [sssd[be[default]]] [sss_ldap_init_sys_connect_done] (0x0020): ldap_install_tls failed: [Connect error] [error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)]

Version-Release number of selected component (if applicable):
openldap-2.4.44-13.el7.x86_64

How reproducible:
Everytime

Actual results:
Login failure with the error in the description section

Expected results:
Login successful

Additional info:

See the following in debug output in the ldapsearch

tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `/etc/openldap/cacerts'.
tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `/etc/openldap/cacerts` prefix ``.
tlsmc_open_nssdb: WARN: could not initialize MozNSS context - error -8015.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.

Two workarounds:

 1 - Downgrade to the previous openldap* packages

 # yum downgrade openldap*

 2 - Comment out "ldap_tls_cacertdir" and specify the cert in sssd.conf with "ldap_tls_cacert"

 #ldap_tls_cacertdir = /etc/openldap/cacerts
 ldap_tls_cacert = /etc/openldap/cacerts/caname.crt
Comment 3 Matus Honek 2018-04-20 10:34:47 UTC 
Given the workaround no. 2 form the Description, my guess is the /etc/openldap/cacerts directory is not properly maintained by the openssl c_rehash command as described in ldap.conf(5).

First, backup the directory and then run the c_rehash on it:
> c_rehash -v /etc/openldap/cacerts

Then, after restarting the SSSD service all should be back to normal. Also, please attach the output of c_rehash for a future reference or, should there be still errors, for further issue solving.

Thank you.
Comment 8 Paul 2018-10-02 12:02:08 UTC 
I am still having this issue with my openldap client.  Why is this bug closed? None of the solutions above worked to resolve the issue.

Versions:

openldap-2.4.44-15
openldap-clients-2.4.44-15

Still getting this error:

[sssd[be[default]]] [sss_ldap_init_sys_connect_done] (0x0020): ldap_install_tls failed: [Connect error] [error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)]
Comment 9 Paul 2018-10-02 12:39:20 UTC 
(In reply to Paul from comment #8)
> I am still having this issue with my openldap client.  Why is this bug
> closed? None of the solutions above worked to resolve the issue.
> 
> Versions:
> 
> openldap-2.4.44-15
> openldap-clients-2.4.44-15
> 
> Still getting this error:
> 
> [sssd[be[default]]] [sss_ldap_init_sys_connect_done] (0x0020):
> ldap_install_tls failed: [Connect error] [error:14090086:SSL
> routines:ssl3_get_server_certificate:certificate verify failed (self signed
> certificate in certificate chain)]

Correction, I had to downgrade a couple of version of openldap and client to get back to operational state.  Currently running version 2.4.44-5.
Comment 10 Matus Honek 2018-10-02 15:24:39 UTC 
Paul,

please, file an issue with our customer support or, if unable to do so, please file a new bugzilla bug, with detailed information (configuration and outputs of both openldap (e.g. ldapsearch, and ldap.conf) and sssd, it will probably be necessary to assess correctness of the certs themselves as well; if you could test with `openssl s_client` it would be useful, too).

The user cases related to this bug were of various configuration issues and no particular issue was asserted to be in the software itself. So, please, do not follow with hereby bug for not to mix too much a possibly unrelated stuff together, better file a separate thread.

Thanks!