Bug 1569709 - After upgrading to RHEL 7.5 sssd/ldap authentication fails when using ldaps/ssl
Summary: After upgrading to RHEL 7.5 sssd/ldap authentication fails when using ldaps/ssl
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openldap
Version: 7.5
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Matus Honek
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-19 20:51 UTC by aheverle
Modified: 2018-11-09 14:02 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-07 15:31:37 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description aheverle 2018-04-19 20:51:09 UTC
Description of problem:

Upgrading to RHEL 7.5 caused the cert not be found in the cert path specified in sssd.conf.

In debug logs, you see the cert failing

(Tue Apr 17 11:49:31 2018) [sssd[be[default]]] [sss_ldap_init_sys_connect_done] (0x0020): ldap_install_tls failed: [Connect error] [error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)]

Version-Release number of selected component (if applicable):
openldap-2.4.44-13.el7.x86_64

How reproducible:
Everytime

Actual results:
Login failure with the error in the description section

Expected results:
Login successful

Additional info:

See the following in debug output in the ldapsearch

tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `/etc/openldap/cacerts'.
tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `/etc/openldap/cacerts` prefix ``.
tlsmc_open_nssdb: WARN: could not initialize MozNSS context - error -8015.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.

Two workarounds:

 1 - Downgrade to the previous openldap* packages

 # yum downgrade openldap*

 2 - Comment out "ldap_tls_cacertdir" and specify the cert in sssd.conf with "ldap_tls_cacert"

 #ldap_tls_cacertdir = /etc/openldap/cacerts
 ldap_tls_cacert = /etc/openldap/cacerts/caname.crt

Comment 3 Matus Honek 2018-04-20 10:34:47 UTC
Given the workaround no. 2 form the Description, my guess is the /etc/openldap/cacerts directory is not properly maintained by the openssl c_rehash command as described in ldap.conf(5).

First, backup the directory and then run the c_rehash on it:
> c_rehash -v /etc/openldap/cacerts

Then, after restarting the SSSD service all should be back to normal. Also, please attach the output of c_rehash for a future reference or, should there be still errors, for further issue solving.

Thank you.

Comment 8 Paul 2018-10-02 12:02:08 UTC
I am still having this issue with my openldap client.  Why is this bug closed? None of the solutions above worked to resolve the issue.

Versions:

openldap-2.4.44-15
openldap-clients-2.4.44-15

Still getting this error:

[sssd[be[default]]] [sss_ldap_init_sys_connect_done] (0x0020): ldap_install_tls failed: [Connect error] [error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)]

Comment 9 Paul 2018-10-02 12:39:20 UTC
(In reply to Paul from comment #8)
> I am still having this issue with my openldap client.  Why is this bug
> closed? None of the solutions above worked to resolve the issue.
> 
> Versions:
> 
> openldap-2.4.44-15
> openldap-clients-2.4.44-15
> 
> Still getting this error:
> 
> [sssd[be[default]]] [sss_ldap_init_sys_connect_done] (0x0020):
> ldap_install_tls failed: [Connect error] [error:14090086:SSL
> routines:ssl3_get_server_certificate:certificate verify failed (self signed
> certificate in certificate chain)]

Correction, I had to downgrade a couple of version of openldap and client to get back to operational state.  Currently running version 2.4.44-5.

Comment 10 Matus Honek 2018-10-02 15:24:39 UTC
Paul,

please, file an issue with our customer support or, if unable to do so, please file a new bugzilla bug, with detailed information (configuration and outputs of both openldap (e.g. ldapsearch, and ldap.conf) and sssd, it will probably be necessary to assess correctness of the certs themselves as well; if you could test with `openssl s_client` it would be useful, too).

The user cases related to this bug were of various configuration issues and no particular issue was asserted to be in the software itself. So, please, do not follow with hereby bug for not to mix too much a possibly unrelated stuff together, better file a separate thread.

Thanks!


Note You need to log in before you can comment on or make changes to this bug.