215054 – net-nds/openldap - ldapsearch does not need ca-certs while TLS_REQCERT=demand

Bug 215054 - net-nds/openldap - ldapsearch does not need ca-certs while TLS_REQCERT=demand

Summary: net-nds/openldap - ldapsearch does not need ca-certs while TLS_REQCERT=demand

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Server (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo LDAP project

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2008-03-27 13:47 UTC by Evert
Modified:	2008-09-17 18:33 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Evert 2008-03-27 13:47:54 UTC

When using SSL with ldapsearch, the default is to demand certificate verification (see man ldap.conf, TLS_REQCERT).
So, when no pointer to a certificate is specified in ldap.conf, this results in

$ ldapsearch -H ldaps://ldap.example.com -x -LLL -b o=maintree -s base dn
ldap_bind: Can't contact LDAP server (-1)
	additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

which is normal behaviour. A workaround is to revert to the old behaviour by setting TLS_REQCERT to allow in /etc/openldap/ldap.conf, but in my case, I really want the demand setting.

So, I created a directory /etc/openldap/ca-certs/ and put in the wanted ca-certs like explained in http://www.afp548.com/article.php?story=20071203011158936&mode=print

My /etc/openldap/ldap.conf now looks like:
TLS_REQCERT    demand
TLS_CACERTDIR  /etc/openldap/ca-certs

This made the ldapsearch command happy.
However, after deleting all the ca-certs in /etc/openldap/ca-certs/ , the ldapsearch command is still happy which conflicts with the demand setting in /etc/openldap/ldap.conf!

So basically, setting TLS_CACERTDIR to some existing directory (I also tested with an empty directory named /test ) is enough to make the ldapsearch command happy (just like setting TLS_REQCERT to allow).


Reproducible: Always

Steps to Reproduce:
1. create an empty directory /etc/openldap/ca-certs
2. put the following in /etc/openldap/ldap.conf
TLS_REQCERT    demand
TLS_CACERTDIR  /etc/openldap/ca-certs

3. ldapsearch -H ldaps://ldap.example.com -x -LLL -b o=maintree -s base dn

Actual Results:  
the ldapsearch command happily queries the server


Expected Results:  
the ldapsearch command should complain that certificate verify failed since no ca-certificate is installed in /etc/openldap/ca-certs


# emerge --info
Portage 2.1.4.4 (default-linux/x86/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.24.2 i686)
=================================================================
System uname: 2.6.24.2 i686 Intel(R) Pentium(R) 4 CPU 2.80GHz
Timestamp of tree: Thu, 27 Mar 2008 07:00:02 +0000
app-shells/bash:     3.2_p17-r1
dev-java/java-config: 1.3.7, 2.1.4
dev-lang/python:     2.4.4-r9
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -mtune=i686 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -mtune=i686 -pipe"
DISTDIR="/data/linux/gentoo/distfiles"
FEATURES="distlocks metadata-transfer sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LANG="C"
LINGUAS="en en_US en_GB nl de"
MAKEOPTS="-j2"
PKGDIR="/data/linux/gentoo/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/compile"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acl alsa apache2 apm berkdb cli cracklib crypt cups dri dvd dvdr dvdread encode esd exif fortran gdbm gif gnome gpm gstreamer gtk iconv imlib ipv6 isdnlog java jpeg ldap mad midi mikmod mmx mng mozilla mp3 mpeg mplayer mudflap ncurses nls nptl nptlonly nsplugin ogg opengl openmp oss pam pcre pdf perl png ppd pppd python qt qt3 qt4 quicktime readline reflection samba sdl session spell spl sse ssl svg tcpd tiff truetype unicode v4l v4l2 vcd vorbis wmf x86 xml xorg xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse wacom" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_US en_GB nl de" USERLAND="GNU" VIDEO_CARDS="vesa fbdev i810 mga"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 1 Evert 2008-09-10 17:28:30 UTC

It looks like this issue is solved in the current version of openldap.

The LDAP server I use has an official certificate issued by Cybertrust (GTE CyberTrust Global Root), but still there is a softlink missing in /etc/ssl/certs which I had to create manually:

# openssl x509 -hash -noout -in /etc/ssl/certs/GTE_CyberTrust_Global_Root.pem
4d654d1d

# cd /etc/ssl/certs
# ln -s GTE_CyberTrust_Global_Root.pem 4d654d1d.0

Now, /etc/ssl/certs should be specified as TLS_CACERTDIR in /etc/openldap/ldap.conf:

# vi /etc/openldap/ldap.conf
TLS_REQCERT     demand
TLS_CACERTDIR   /etc/ssl/certs

After this, the ldap utilities like ldapsearch are happy :)

So, my conclusion is, there is a softlink missing in /etc/ssl/certs:

4d654d1d.0 -> GTE_CyberTrust_Global_Root.pem

Looks like /etc/ssl/certs/GTE_CyberTrust_Global_Root.pem is not registered in the package database

# q qfile /etc/ssl/certs/GTE_CyberTrust_Global_Root.pem

but 

# ls -l /etc/ssl/certs/GTE_CyberTrust_Global_Root.pem
lrwxrwxrwx 1 root root 65 sep 10 00:15 /etc/ssl/certs/GTE_CyberTrust_Global_Root.pem -> /usr/share/ca-certificates/mozilla/GTE_CyberTrust_Global_Root.crt

# q qfile /usr/share/ca-certificates/mozilla/GTE_CyberTrust_Global_Root.crt
app-misc/ca-certificates (/usr/share/ca-certificates/mozilla/GTE_CyberTrust_Global_Root.crt)

So I think app-misc/ca-certificates is missing the link or maybe openssl is missing the link since all other *.0 files are in the openssl package:

# q qfile /etc/ssl/certs/*.0
dev-libs/openssl (/etc/ssl/certs/0481cb65.0)
dev-libs/openssl (/etc/ssl/certs/0dbd0096.0)
dev-libs/openssl (/etc/ssl/certs/1e49180d.0)
dev-libs/openssl (/etc/ssl/certs/2edf7016.0)
dev-libs/openssl (/etc/ssl/certs/2fb1850a.0)
dev-libs/openssl (/etc/ssl/certs/56e607f4.0)
dev-libs/openssl (/etc/ssl/certs/6adf0799.0)
dev-libs/openssl (/etc/ssl/certs/7651b327.0)
dev-libs/openssl (/etc/ssl/certs/7a9820c1.0)
dev-libs/openssl (/etc/ssl/certs/843b6c51.0)
dev-libs/openssl (/etc/ssl/certs/878cf4c6.0)
dev-libs/openssl (/etc/ssl/certs/a3c60019.0)
dev-libs/openssl (/etc/ssl/certs/aad3d04d.0)
dev-libs/openssl (/etc/ssl/certs/bda4cc84.0)
dev-libs/openssl (/etc/ssl/certs/c33a80d4.0)
dev-libs/openssl (/etc/ssl/certs/cdd7aee7.0)
dev-libs/openssl (/etc/ssl/certs/d4e39186.0)
dev-libs/openssl (/etc/ssl/certs/ddc328ff.0)
dev-libs/openssl (/etc/ssl/certs/f73e89fd.0)

Anyway, the /etc/ssl/certs/4d654d1d.0 link is missing.

Comment 2 Robin Johnson archtester

2008-09-10 18:52:40 UTC

evert: please test per these instructions:
1. get rid of your manual softlink
2. emerge ca-certificates 
3. etc-update
4. emerge ca-certificates 
5. check for softlink again

Comment 3 Evert 2008-09-11 09:57:38 UTC

I did:
1. rm /etc/ssl/certs/4d654d1d.0
2. emerge -av1 ca-certificates
3. etc-update
4. emerge -av1 ca-certificates
5. ls -ld /etc/ssl/certs/4d654d1d.0

ls: cannot access /etc/ssl/certs/4d654d1d.0: No such file or directory

Note:
/etc/ssl/certs/* belongs to dev-libs/openssl-0.9.8g-r2
/usr/share/ca-certificates/* belongs to app-misc/ca-certificates-20080514-r2

I think that is very strange too! I would expect both directories to belong to app-misc/ca-certificates!

Comment 4 Robin Johnson archtester

2008-09-11 11:06:25 UTC

/etc/ssl/certs as the directory belongs to openssl.
The contents are symlinks into /usr/share/ca-certificates that are NOT owned by any package, but ARE create by the update-ca-certificates script called by postinst of ca-certificates.

However, I do see the problem.

If the hex symlink gets removed, but NOT the named one, update-ca-certificates doesn't run the rehash, causing the hash symlink not to get re-created.

Fixed instructions:
1. rm -f /etc/ssl/certs/4d654d1d.0 /etc/ssl/GTE_CyberTrust_Global_Root.pem
2. emerge -av1 ca-certificates
3. etc-update
4. emerge -av1 ca-certificates
5. ls -ld /etc/ssl/certs/4d654d1d.0

You can skip 2+3 if it isn't an upgrade. The only reason I listed it twice was for old users that didn't get the postinst before.

Comment 5 Evert 2008-09-11 15:10:13 UTC

Great! So in fact it would be better to get rid of /etc/ssl/certs completely and remerge openssl and ca-certificates? Well, after having done what you told me, I did:
1. mv /etc/ssl/certs /etc/ssl/certs.bak
2. emerge -av1 openssl ca-certificates
3. ls -ld /etc/ssl/certs/*.0

Isn't it possible to include those hash links as part of the package so those links are registered in the package database /var/db/pkg/*/*/CONTENTS ?

Comment 6 Evert 2008-09-11 16:38:27 UTC

FYI, update-ca-certificates --fresh
also fixes the symlinks!

Comment 7 Robin Johnson archtester

2008-09-11 18:59:47 UTC

No, we don't want the named or hash symlinks to be part of the CONTENTS, because the user may have other certificates that override them with update-ca-certificates.

--fresh is an option, but only for manual runs, since it can kill any manually created symlinks. We need some way that it only removes ones it installed, as well as any that are broken symlinks.

Comment 8 Evert 2008-09-12 12:49:04 UTC

I thought that's what CONFIG_PROTECT is for! 
But I see what you mean, portage ignores CONFIG_PROTECT for symlinks, also when mtime and/or "value" of the symlink differs from what is registered in the CONTENTS database. I think that's a problem of portage!

The dead links part could be easily done like this:
find /etc/ssl/certs/ -type l | (while read symlink; do [ -e "$symlink" ] || rm -- "$symlink"; done)

Anyway, , I'm closing this bug since my problem is solved :)
Thanx for the support!

Comment 9 Robin Johnson archtester

2008-09-12 22:10:00 UTC

evert:
easier way to find broken symlinks:
# find -L $DIR -type l

Comment 10 Evert 2008-09-17 18:33:26 UTC

That's a lot easier indeed, thanx for the tip Robin! :)