RHEL4, LDAP, TLS followup

Mon Aug 1 20:25:56 UTC 2005

I just came across the messages regarding RHEL4, LDAP and TLS on the list 
previously:

https://www.redhat.com/archives/redhat-list/2005-May/msg00210.html

I had been struggling with the same problem, and this was just the push 
that I needed to figure out how to get RHEL 4 working as a client.

The key insight was that RHEL4's nss_ldap module validates the certificate 
by default, despite this bit of documentation in /etc/ldap.conf:

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
#tls_checkpeer yes

It appears that the default has changed to "tls_checkpeer yes" without the 
comment being changed in the configuration file. This is documented in 
Bugzilla:

  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=122129
  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123877
  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=126474

If you are running with a self-signed certificate (as is the case by 
default if you don't install another certificate), RHEL 4's nss_ldap will 
fail unless "tls_checkpeer no" is set in /etc/ldap.conf.

Alternatively, if you are concerned about SSL security, you can use a 
properly signed SSL certificate, and use the tls_cacert or tls_cacertdir 
directives to point nss_ldap at the CA's certificate so that it can 
validate the presented LDAP certificate.

I set up my own CA and then generated a certificate for the LDAP server, 
signed it, and then made my CA's certificate available through the 
tls_cacert directive, and it worked. If you generate a certificate and 
have it signed by a commercial CA, you could set tls_cacert as follows:

tls_cacert /usr/share/ssl/certs/ca-bundle.crt

-- 
  Richard Bullington-McGuire, Managing Partner, PKR Internet, LLC
  Email: rbulling at pkrinternet.com  Web: http://pkrinternet.com/
  Phone: +1 (703) 271 0607  Fax: +1 (703) 271 0580
  PGP key IDs:  RSA: 0x9386230  DH/DSS: 0xDAC3028E