SOLVED LDAPS and adding new CA to trust store

verdon

Well-Known Member
Nov 1, 2003
911
10
168
59
Northern Ontario, Canada
cPanel Access Level
Root Administrator
Hi,

I have recently moved a number of Wordpress sites to my server that use an LDAP/S authentication plugin to authenticate against another host. The LDAP host uses an internal CA for it's certificates. On the server where I moved them from, I added this to the httpd.conf file before the virtual host containers, and that seemed to work.
Code:
LDAPVerifyServerCert Off
I have tried adding that with the Apache include editor on the new cPanel server, in all 3 areas, with no effect.

I have also tried adding the custom CA root and intermediary certificates to the cPanel server (CentOS 6) following these instructions, which is basically,
Code:
$ # put the file(s) in /etc/pki/ca-trust/source/anchors
$ update-ca-trust extract
That completes with no error (or feedback at all) but still no love.

When I try running something like
Code:
$ ldapsearch -H ldaps://yourdc.yourdomain.org  -x -D "CN=testuser,OU=YourOU,OU=YourOU,DC=domain,DC=com" -b "dc=domain,dc=com" -W -d 7
I still get
Code:
TLS: certificate [redacted] is not valid - error -8179:Peer's Certificate issuer is not recognized..
tls_write: want=7, written=7
  0000:  15 03 03 00 02 02 30                               ......0           
TLS: error: connect - force handshake failure: errno 2 - moznss error -8179
TLS: can't connect: TLS error -8179:Peer's Certificate issuer is not recognized..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
So I have to assume the private CA is not installed on my end, so the cert is not trusted. I know the ports are open, and I can authenticate fine over ldap (port 389), just not ldaps (port 636). I've been scratching my head for hours and am out of ideas...

Any suggestions?
 

verdon

Well-Known Member
Nov 1, 2003
911
10
168
59
Northern Ontario, Canada
cPanel Access Level
Root Administrator
Just to follow up here, in case anyone else stumbles across this...

I had a couple issues and discovered a few things. Ultimately, there's a file at
Code:
/etc/openldap/ldap.conf
It has a configuration for
Code:
TLS_CACERTDIR /etc/openldap/cacerts
which was wrong. That directory didn't even exist. Once that was corrected and my CA was being recognized, I realized I had a name mismatch in the SSL cert (I was trying to connect via IP address and the cert was based on a name). Although I'll probably put an entry in my /etc/hosts file for now, as the name in the cert is an internal only name and not a FQDN, I also discovered that you can put the following in the ldap.conf file for blind trust.
Code:
TLS_REQCERT allow
Most of the pointers I found were in this conversation at serverfault.
 
  • Like
Reactions: cPanelMichael