I’m working with Ubuntu 12.04, using OpenLDAP server. I’ve followed the instructions on the Ubuntu help pages and can happily connect without security. To test my connection, I’m using ldapsearch the command looks like:
ldapsearch -xv -H ldap://ldap.[my host].local -b dc=[my domain],dc=local -d8 -ZZ
I’ve also used:
ldapsearch -xv -H ldaps://ldap.[my host].local -b dc=[my domain],dc=local -d8
As far as I can tell, I’ve setup my certificate correctly, but no matter why I try, I can’t seem to get ldapsearch to accept my self-signed certificate.
So far, I’ve tried:
- Updating my
/etc/ldap/ldap.conffile to look like:
BASE dc=[my domain],dc=local URI ldaps://ldap.[my host].local TLS_CACERT /etc/ssl/certs/cacert.crt TLS_REQCERT allow
- Updating my
/etc/ldap.conffile to look like:
base dc=[my domain],dc=local uri ldapi:///ldap.[my host].local uri ldaps:///ldap.[my host].local ldap_version 3 ssl start_tls ssl on tls_checkpeer no TLS_REQCERT allow
-
Updating my
/etc/default/slapdto include:SLAPD_SERVICES=”ldap:/// ldapi:/// ldaps:///”
-
Several hours of Googling, most of which resulted in adding the
TLS_REQCERT allow
The exact error I’m seeing is:
ldap_initialize( ldap://ldap.[my host].local )
request done: ld 0x20038710 msgid 1
TLS certificate verification: Error, self signed certificate in certificate chain
TLS: can't connect.
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
After several hours of this, I was hoping someone else has seen this issue, and/or knows how to fix it. Please do let me know if I should add more information, or if you need further data.
The issue is that the version of GnuTLS that is shipped with Ubuntu 12.04 uses a defective crypto back-end.
GnuTLS was supposed to be switched from using gcrypt as the crypto back-end to nettle but there are licensing issues. Specifically some GPL licenses permit linking with newer or older versions of the GPL and some do not.
You can either rebuild GnuTLS from source configured with nettle or hack gcrypt the way Howard Chu suggested someplace. Instructions on the former are in this bug report.
https://bugs.launchpad.net/bugs/926350
Check more discussion of this question.