SOLVED LDAPS and adding new CA to trust store

verdon

verdon

Well-Known Member
Nov 1, 2003
945
16
168
Northern Ontario, Canada
cPanel Access Level
Root Administrator
Hi,

I have recently moved a number of Wordpress sites to my server that use an LDAP/S authentication plugin to authenticate against another host. The LDAP host uses an internal CA for it's certificates. On the server where I moved them from, I added this to the httpd.conf file before the virtual host containers, and that seemed to work.
Code: 
LDAPVerifyServerCert Off
I have tried adding that with the Apache include editor on the new cPanel server, in all 3 areas, with no effect.

I have also tried adding the custom CA root and intermediary certificates to the cPanel server (CentOS 6) following these instructions, which is basically,
Code: 
$ # put the file(s) in /etc/pki/ca-trust/source/anchors
$ update-ca-trust extract
That completes with no error (or feedback at all) but still no love.

When I try running something like
Code: 
$ ldapsearch -H ldaps://yourdc.yourdomain.org  -x -D "CN=testuser,OU=YourOU,OU=YourOU,DC=domain,DC=com" -b "dc=domain,dc=com" -W -d 7
I still get
Code: 
TLS: certificate [redacted] is not valid - error -8179:Peer's Certificate issuer is not recognized..
tls_write: want=7, written=7
  0000:  15 03 03 00 02 02 30                               ......0           
TLS: error: connect - force handshake failure: errno 2 - moznss error -8179
TLS: can't connect: TLS error -8179:Peer's Certificate issuer is not recognized..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
So I have to assume the private CA is not installed on my end, so the cert is not trusted. I know the ports are open, and I can authenticate fine over ldap (port 389), just not ldaps (port 636). I've been scratching my head for hours and am out of ideas...

Any suggestions?
 
verdon

verdon

Well-Known Member
Nov 1, 2003
945
16
168
Northern Ontario, Canada
cPanel Access Level
Root Administrator
Just to follow up here, in case anyone else stumbles across this...

I had a couple issues and discovered a few things. Ultimately, there's a file at
Code: 
/etc/openldap/ldap.conf
It has a configuration for
Code: 
TLS_CACERTDIR /etc/openldap/cacerts
which was wrong. That directory didn't even exist. Once that was corrected and my CA was being recognized, I realized I had a name mismatch in the SSL cert (I was trying to connect via IP address and the cert was based on a name). Although I'll probably put an entry in my /etc/hosts file for now, as the name in the cert is an internal only name and not a FQDN, I also discovered that you can put the following in the ldap.conf file for blind trust.
Code: 
TLS_REQCERT allow
Most of the pointers I found were in this conversation at serverfault.
 
  • Like
Reactions: cPanelMichael
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,260
463
Hello @verdon,

Thanks for taking the time to share the outcome here. I've marked this thread as SOLVED.
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
A Adding IP to Host Access Control Security 1
C CPanel accounts getting attacked by the same person whom is resetting zone file and adding their own records. Security 3
P Adding cPanel User for sudomain webmaster Security 3
G Adding to CSF's Temporary Deny via PHP Security 2
J LDAPS Question Security 0
Similar threads
Adding IP to Host Access Control
CPanel accounts getting attacked by the same person whom is resetting zone file and adding their own records.
Adding cPanel User for sudomain webmaster
Adding to CSF's Temporary Deny via PHP
LDAPS Question
Top Bottom