Bug 789088

Summary: Default SSL certificate bundle is not found by openldap library
Product: [Fedora] Fedora Reporter: Jan Vcelak <jvcelak>
Component: openldapAssignee: Jan Vcelak <jvcelak>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 16CC: advax, jplans, jsynacek, jvcelak, ovasik, rmeggins, tsmetana
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: openldap-2.4.29-3.fc17 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 742023 Environment:
Last Closed: 2012-02-28 10:39:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 742023    
Bug Blocks:    
Attachments:
Description Flags
script for generating certdb and server certificate
none
simple tests for certdb generated by the proposed script none

Description Jan Vcelak 2012-02-09 18:58:21 UTC 
+++ This bug was initially created as a clone of Bug #742023 +++

Description of problem:

openldap clients e.g. ldapsearch and software linked with openldap libraries e.g. Apache mod_authnz_ldap fail to connect to servers when using TLS

Version-Release number of selected component (if applicable):

openldap-2.4.23-15.el6_1.3.x86_64

How reproducible:

Always

Steps to Reproduce:
1. ldapsearch -x -H ldaps://ldap.example.com  -b dc=example -Z "cn=joe" cn
  
Actual results:
ldap_start_tls: Connect error
  additional info: TLS error -8172

Expected results:
cn: User, Joe


Additional info:

The config file /etc/openldap/ldap.conf packaged with openldap does not contain an entry for the certificate bundle e.g. ca-certificates-2010.63-3.el6_1.5.noarch shipped with RHEL6
Adding an entry
  TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt
fixes the problem, at least where the server certicate authority is included in the bundle.

In previous versions of RHEL e.g. RHEL5, openldap did not seem to check certificate chains so that a default install worked.

(The Apache module mod_authnz_ldap returns no details in /var/log/httpd/*
which makes diagnosis difficult)
Comment 1 Jan Vcelak 2012-02-09 19:05:08 UTC 
Proposed solution:

(1) Use Mozilla NSS tools (certutil, modutil) to generate server certificate during installation instead of using OpenSSL tools. The database location will be /etc/openldap/certdb.

(2) Load libnssckbi.so module into the database. This makes builtin root certificates available as requested.

(3) Make default slapd configuration to use the certificate from this location. 

(4) Make default ldap.conf to use the certificates from that location.
Comment 2 Jan Vcelak 2012-02-09 19:08:59 UTC 
Created attachment 560689 [details]
script for generating certdb and server certificate

The script will be placed in /usr/libexec/slapd as the other scripts, will be called from the specfile.
Comment 3 Jan Vcelak 2012-02-09 19:13:04 UTC 
Created attachment 560691 [details]
simple tests for certdb generated by the proposed script

decompress, place the ./setup-certificates.sh into the same directory, run the tests
Comment 4 Jan Vcelak 2012-02-13 13:24:26 UTC 
Some changes will be necessary. The script has to be split, because we need the client libraries to work with builtin certificates without -servers package.
Comment 5 Jan Vcelak 2012-02-15 14:05:16 UTC 
Resolved in openldap-2.4.29-1.fc17
Comment 6 Fedora Update System 2012-02-15 14:09:02 UTC 
openldap-2.4.29-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/openldap-2.4.29-1.fc17
Comment 7 Fedora Update System 2012-02-16 01:56:54 UTC 
Package openldap-2.4.29-1.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openldap-2.4.29-1.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-1755/openldap-2.4.29-1.fc17
then log in and leave karma (feedback).
Comment 8 Fedora Update System 2012-02-21 15:20:11 UTC 
openldap-2.4.29-3.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/openldap-2.4.29-3.fc17
Comment 9 Fedora Update System 2012-02-21 17:44:26 UTC 
Package openldap-2.4.29-3.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openldap-2.4.29-3.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-2113/openldap-2.4.29-3.fc17
then log in and leave karma (feedback).
Comment 10 Fedora Update System 2012-02-28 10:39:23 UTC 
openldap-2.4.29-3.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.