Hi William,
>>>> sed -i -e 's/ldap.OPT_X_TLS_HARD/ldap.OPT_X_TLS_NEVER/' >>>> /usr/lib/python3.6/site-packages/lib389/__init__.py >>>> sed -i -e 's/ldap.OPT_X_TLS_HARD/ldap.OPT_X_TLS_NEVER/' >>>> /usr/lib/python3.6/site-packages/lib389/cli_base/dsrc.py > > You don't need to do this. You can set tls_reqcert = never in your dsrc file. > You do not need to edit the lib389 source code. Yep, thanks! Indeed if i put to .dsrc a custom cacertdir with correct certs or tls_reqcert=never dsconf v1.4.3 works: [slapd-ldaps://ldap-model.polytechnique.fr:636] uri = ldaps://ldap-model.polytechnique.fr:636 ###########tls_reqcert = never tls_cacertdir = /tmp/tls_cacertdir Is there any way to use a global parameter in .dsrc, without a section per server - we have several LDAP servers, all signed by the same CA? making a section per server will be a bit tedious. > > Can you show us your /etc/openldap/ldap.conf please? "ldapsearch -x -H ldaps://" works, so it is not a matter of the content of this file. By default it is empty in our case (we use commercial certificates), but i tried to point TLS_CACERT to the CA certificates that signed the server's cert. It does not fix anything for dsconf 1.4.3 (but it does influence ldapsearch and dsconf v1.4.2 of course), here are all the tests i've done (commented #TLS_CACERT parameters). # Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on #TLS_CACERT /etc/pki/tls/cert.pem #TLS_CACERT /Admin/SOURCES/389/Config/CA-sectigo-intermediates-root.crt #TLS_CACERT /Admin/SOURCES/389/Config/GEANT-OV-RSA-CA-4.crt #TLS_CACERT /Admin/SOURCES/389/Config/USERTrust-RSA-Certification-Authority.crt #TLS_CACERT /Admin/SOURCES/389/Config/AAA-Certificate-Services.crt I disabled TLS_CACERT and it makes openldap clients use the system pem. It works for ldapsearch and dsconf v1.4.2 but not for dsconf v1.4.3 >> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-shared-system-certificates_security-hardening >> (by "update-ca-trust" and/or "trust anchor path.to/certificate.crt"). > > The system pem bundles are NOT used by openldap which means that lib389 can't > use them. You must configure the tls_cacertdir or tls_cacert is dsrc to point > at your CA cert. Actually in RHEL/CentOS they ARE used by openldap client if TLS_CACERT is not specified explicitly. Here is the snippet of /etc/openldap/ldap.conf file with explanations: # When no CA certificates are specified the Shared System Certificates # are in use. In order to have these available along with the ones specified # by TLS_CACERTDIR one has to include them explicitly: #TLS_CACERT /etc/pki/tls/cert.pem And it is easy to confirm that the system global bundle is indeed used with any self-signed CA authority: [root@ldap-centos8 ~]# ldapsearch -x -H ldaps://ldap-ens.polytechnique.fr -b "" -s base ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) [root@ldap-centos8 ~]# trust anchor /tmp/my_ca_8192.crt [root@ldap-centos8 ~]# ldapsearch -x -LLL -H ldaps://ldap-ens.polytechnique.fr -b "" -s base dn: objectClass: top defaultnamingcontext: dc=id,dc=polytechnique,dc=edu dataversion: 020201121013314020201121013314 netscapemdsuffix: cn=ldap://dc=ldap-ens,dc=polytechnique,dc=fr:389 lastusn;userroot: 33863940 lastusn;netscaperoot: -1 [root@ldap-centos8 ~]# trust anchor --remove /tmp/my_ca_8192.crt [root@ldap-centos8 ~]# ldapsearch -x -LLL -H ldaps://ldap-ens.polytechnique.fr -b "" -s base ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) But all in all i think i start to see where the problem comes from. dsconf version 1.4.2 uses /etc/openldap/ldap.conf (which in turn uses system pem bundle if no TLS_CACERT is specified) for certs/CA. Starting from 1.4.3 dsconf ignores completely /etc/openldap/ldap.conf file and pays attention only to its own .dsrc file. It explains everything that i see. It's a bit pity that there is no global section in .dsrc like in /etc/openldap/ldap.conf - one needs to create a section per ldap server, often with the same parameters. Thanks again for help, it's clear for me now! Have a nice day! :) _______________________________________________ 389-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
