[Triumf-linux-managers] Secure LDAP

[Andrew Daviel]

There is a problem where ldapsearch with SSL would fail to the replicants 
misldap1, misldap1 but not to admin.triumf.ca

This happens if the TRIUMF root certificate is not installed, on later 
Linux (SL5, SL6). Adding a debug option shows the real error, viz.

$ ldapsearch -x -H ldaps://misldap1.triumf.ca -b dc=triumf,dc=ca uid=advax -LLL cn -d1

I found I had already documented a procedure to install the certificate 
for ldapsearch on https://trmail.triumf.ca/CA/other.html as 
"openSSL/openLDAP based clients"

In SL5, ldapsearch uses the openssl library by default, using the 
certificate bundle /etc/pki/tls/certs/ca-bundle.crt.
The page documents how to append the TRIUMF certificate to that.

In SL6, ldapsearch uses the Mozilla NSS library instead of openssl.
The documented procedure (to add TLS_CACERT options to 
/etc/openldap/ldap.conf) in fact works; however one can just add the 
TRIUMF certificate to /etc/openldap/certs/cert8.db. I have added a note to the 
webpage.



For those interested, Mozilla certificate stores use Berkeley DB 1.85, 
which can be dumped with "db_dump185" from the db4-utils package. certutil 
and friends are in the nss-tools package. Firefox uses a cert8.db for each 
user profile, kept in $HOME/.mozilla/firefox/random.profilename/, so one 
can list certificates with e.g.
$ certutil -L -d  $HOME/.mozilla/firefox/unvej9cy.other 
The openldap RPM install script creates an empty cert8.db populated only 
with the default certificates built-in to the libnssckbi.so library (which 
do not get listed by certutil, but do by Firefox).


-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
Network Security Manager