Troubleshooting ldaps:// connections -- `TLS_REQCERT never` is ignored?

985 views

Skip to first unread message

slasi...@lbl.gov

unread,

Mar 8, 2016, 6:07:28 PM3/8/16

to LinOTP

Hello Everyone,

I am investigating the LinOTP open source version, running on CentOS 6 with MySQL 5.6 & Apache 2.2.

We have an OpenLDAP server, which is available at ldaps://ldaptest.example.org/ (TLS on port 636). I can reach the LDAP server and perform queries using `/usr/bin/ldapsearch` without any issue.

However, I am having a heck of a time getting LinOTP to work with the certificate on our LDAP server. No matter what I do with the LDAP Resolver, LinOTP spews the error "Can't contact LDAP server", like the following from the log file:

2016/03/08 - 14:44:20 ERROR {139646373201664} [useridresolver.LDAPIdResolver][testconnection #299] [testconnection] LDAP Error: {'desc': "Can't contact LDAP server"}
Traceback (most recent call last):
File "/opt/LINOTP/lib/python2.6/site-packages/useridresolver/LDAPIdResolver.py", line 265, in testconnection
l.simple_bind_s(dn_encode, pw_encode)
File "/opt/LINOTP/lib/python2.6/site-packages/ldap/ldapobject.py", line 222, in simple_bind_s
msgid = self.simple_bind(who,cred,serverctrls,clientctrls)
File "/opt/LINOTP/lib/python2.6/site-packages/ldap/ldapobject.py", line 216, in simple_bind
return self._ldap_call(self._l.simple_bind,who,cred,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls))
File "/opt/LINOTP/lib/python2.6/site-packages/ldap/ldapobject.py", line 106, in _ldap_call
result = func(*args,**kwargs)
SERVER_DOWN: {'desc': "Can't contact LDAP server"}

The LDAP server is not down. I think my problem might be caused by a certificate trust issue, which I haven't been able to resolve by importing certificates to `/etc/ssl/certs`.

Can I configure LinOTP to never check for certificate validation? I placed the following in `/etc/openldap/ldap.conf` and LinOTP seems to be ignoring this setting. I've tried restarting Apache and even rebooting the server:

# cat /etc/openldap/ldap.conf
TLS_REQCERT never

Is there anything else I need to do to disable SSL certificate validation?

Thanks,

-= Stefan

slasi...@lbl.gov

unread,

Mar 18, 2016, 8:42:36 PM3/18/16

to LinOTP, slasi...@lbl.gov

I figured this out, and I thought I would share my solution.

It turns out that `TLS_REQCERT` wasn't the problem. In actuality, our `TLS_CACERTDIR` pointed to a directory which didn't exist. When I restored `TLS_CACERTDIR` to it's default value of `TLS_CACERTDIR /etc/openldap/certs`, I got LinOTP to work without errors.

Thanks,

-= Stefan

Reply all

Reply to author

Forward

0 new messages