[Mageia-sysadm] ldap server certificate (was: Re: [Mageia-discuss] Fosdem report)

Buchan Milne bgmilne at zarb.org
Wed Feb 15 08:25:22 CET 2012


On Tuesday, 14 February 2012 17:36:14 nicolas vigier wrote:
> On Tue, 14 Feb 2012, Oliver Burger wrote:
> > But shall we write that command line into the wiki? Aside from not
> > working: [oli at beteigeuze avfs]$ ldapsearch -W -Z -h ldap.mageia.org  -D
> > uid=obgr_seneca,ou=People,dc=mageia,dc=org -b ou=Group,dc=mageia,dc=org
> > ldap_start_tls: Connect error (-11)
> > Enter LDAP Password:
> > ldap_result: Can't contact LDAP server (-1)
> 
> It looks like we are still using a self-signed certificate on the ldap
> server.

Yes.

> So it's required to have "TLS_REQCERT allow" in
> /etc/openldap/ldap.conf to be able to connect to the ldap server.

There are a few issues. If the self-signed cert and key were separate files 
(new installs of openldap-server will do it this way as of current cauldron), 
then the self-signed cert would not be too much of an issue if the self-signed 
cert were distributed to all nodes and set as the TLS_CACERT, e.g.:

# grep ^TLS_CACERT /etc/openldap/ldap.conf
TLS_CACERT      /etc/ssl/openldap/ldap.mageia.org.pem


The next issue is:
# openssl x509 -noout -subject -in /etc/ssl/openldap/ldap.mageia.org.pem
subject= /C=FR/ST=France/L=Marseille/O=Mageia/OU=Ldap 
server/CN=valstar.mageia.org/emailAddress=root at mageia.org

subjectCN does not match the hostname that was provided, and no Subject 
Alternative Names provided, so:


# ldapsearch -LLL -x -h ldap.mageia.org -ZZ -s base -b '' 
namingContextsldap_start_tls: Connect error (-11)
        additional info: TLS: hostname does not match CN in peer certificate

vs
# ldapsearch -LLL  -x -h valstar.mageia.org -ZZ -s base -b '' namingContexts
dn:
namingContexts: dc=mageia,dc=org
namingContexts: dc=test_ldap


But, this doesn't scale. We already have 2 LDAP servers, we would now need to 
have both of their certs in the TLS_CACERT, and update it if:
-a cert is updated for whatever reason
-we add more servers

> Should we also use the *.mageia.org certificate on the ldap server ?

No, as you are distributing the key too widely, opening up easy avenues for 
decrypting the traffic.

> Or have our own CA

Yes.

> with keys distributed by rpm packages in the
> distribution ?

No. Possibly the CA cert distributed, if we intend for distribution users to 
access our LDAP directory from the internet (which seems is currently 
possible). But, then I am not sure if that is intended, or a mistake.

Regards,
Buchan


More information about the Mageia-sysadm mailing list