[Triumf-linux-managers] FYI - SSL/openldap issues in SL 6.1
Andrew Daviel
advax at triumf.ca
Wed Sep 28 14:11:50 PDT 2011
FYI - an issue I found recently on SL 6.1
Openldap (e.g. ldapsearch, Apache mod_authnz_ldap) now verifies SSL
certificate chains against the standard bundle.
On one machine at least, the default bundle is not found unless
it is specified in /etc/openldap/ldap.conf, e.g.
TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt
For openldap to authenticate with SSL against a server using a TRIUMF
certificate, such as ldaps://trmail.triumf.ca, the TRIUMF root
certificate must be appended to the certificate bundle, as documented
in https://trmail.triumf.ca/CA/other.html,
or given a suffix of "0" (e.g. triumf.root.0) and placed in
a directory specified by TLS_CACERTDIR (see ldap.conf manpage)
The error messages if this is not done are rather obscure - non-existent
in httpd (just a generic HTTP 500), and in ldapsearch merely baffling -
"TLS error -8172:Unknown code"
Apache can also use the LDAPTrustedGlobalCert directive to specify
a bundle, viz.
LDAPTrustedGlobalCert CA_BASE64 /etc/pki/tls/certs/triumf.cacert.crt
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
Network Security Manager
More information about the Triumf-linux-managers
mailing list