Environment
NetIQ eDirectory
Novell Open Enterprise Server 2 (OES 2) Linux
Novell Open Enterprise Server 11 (OES 11) Linux
Novell Open Enterprise Server 2 (OES 2) Linux
Novell Open Enterprise Server 11 (OES 11) Linux
Situation
It has been reported to Novell Technical Services that in various
circumstances, after patching, performing any actions in eDirectory
exhibit the following error :
For example :
or similar :
To be more precise, this problem occurred after patching / upgrading for any eDirectory action that requires SSL communication.
For example :
- This was found when building an automatic deployment of a XEN host with a guest containing OES11.
- This was seen after an OES2SP3 to OES11 AutoYast upgrade
For example :
/opt/novell/ncs/bin/ncs_proxy_rights_assign
cn=OESCommonProxy_cl1-n01,ou=cl1,ou=services,o=lab
cn=admin,o=lab 192.168.0.10 389 1 Failed to add user
'cn=OESCommonProxy_cl1-n01,ou=cl1,ou=services,o=lab' to NCS
management group: {'info': 'error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
(self signed certificate in certificate chain)', 'desc': "Can't
contact LDAP server"
or similar :
2012-04-14 02:24:16 <3>
base11SP1(3456) [agent-ldap]
LdapAgent.cc(debug_exception):487 additional info:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed (self signed certificate in certificate
chain)
To be more precise, this problem occurred after patching / upgrading for any eDirectory action that requires SSL communication.
For example :
- This was found when building an automatic deployment of a XEN host with a guest containing OES11.
- This was seen after an OES2SP3 to OES11 AutoYast upgrade
Resolution
Please (re-)add the following line back to '/etc/openldap/ldap.conf'
file :
A standard SLES11 SP2 '/etc/openldap/ldap.conf' file will appear as below :
After editing '/etc/openldap/ldap.conf' and adding the 'TLS_REQCERT allow' line, the file should appear as below :
TLS_REQCERT allow
A standard SLES11 SP2 '/etc/openldap/ldap.conf' file will appear as below :
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERTDIR /etc/ssl/certs
TLS_CERT /etc/ssl/servercerts/servercert.pem
TLS_KEY /etc/ssl/servercerts/serverkey.pem
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERTDIR /etc/ssl/certs
TLS_CERT /etc/ssl/servercerts/servercert.pem
TLS_KEY /etc/ssl/servercerts/serverkey.pem
After editing '/etc/openldap/ldap.conf' and adding the 'TLS_REQCERT allow' line, the file should appear as below :
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_REQCERT allow
TLS_CACERTDIR /etc/ssl/certs
TLS_CERT /etc/ssl/servercerts/servercert.pem
TLS_KEY /etc/ssl/servercerts/serverkey.pem
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_REQCERT allow
TLS_CACERTDIR /etc/ssl/certs
TLS_CERT /etc/ssl/servercerts/servercert.pem
TLS_KEY /etc/ssl/servercerts/serverkey.pem
Cause
On SLES11 versions prior to SLES11 SP2 , the '/etc/openldap/ldap.conf'
file had the following line listed by default: "TLS_REQCERT allow"
Due to a change that was made to the openldap2-client, on SLE 11 SP2 and later SLE versions, the '/etc/openldap/ldap.conf' file has had the "TLS_REQCERT allow" line removed from the configuration file which restricts 'TLS_REQCERT' to no longer accept self-signed certificates.
Due to a change that was made to the openldap2-client, on SLE 11 SP2 and later SLE versions, the '/etc/openldap/ldap.conf' file has had the "TLS_REQCERT allow" line removed from the configuration file which restricts 'TLS_REQCERT' to no longer accept self-signed certificates.