[horde] Horde LDAP TLS not working, system LDAP TLS does

Simon Wilson simon at simonandkate.net
Mon Feb 18 20:49:07 UTC 2013 

On 19/02/2013, at 2:07 AM, Ralf Lang <lang at b1-systems.de> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 18.02.2013 16:30, Simon Wilson wrote:
>> I am going crazy with this one...
>> 
>> My H5 setup has been working fine for a week. Earlier in the week
>> I updated the certificates that the systems use, but missed one on
>> the new Horde server, and today everything stopped working with
>> certificate expired errors.
>> 
>> I worked out where I had missed it, put it there, but now Horde
>> can't auth using TLS (it has been fine):
>> 
>> 2013-02-18T14:56:45+00:00 EMERG: HORDE TLS not started: Connect
>> error [pid 7145 on line 514 of "/usr/share/pear/Horde/Ldap.php"]
>> 
>> It drops a fatal error whenever TLS is enabled. The certs appear
>> fine, and Imp using the same certs can connect to the separate IMAP
>> server.
>> 
>> My old Horde 4 server can connect fine over TLS, so it's not the
>> LDAP server.
>> 
>> The strange thing though is that I can ldapsearch from the new
>> system using TLS:
>> 
>> ldapsearch -ZZ -x -b dc=simonandkate,dc=lan
>> 
>> Generates this on the LDAP server:
>> 
>> Feb 19 01:15:57 emp01 slapd[3297]: conn=2378 fd=48 ACCEPT from 
>> IP=192.168.1.230:35382 (IP=0.0.0.0:389) Feb 19 01:15:57 emp01
>> slapd[3297]: conn=2378 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Feb 19
>> 01:15:57 emp01 slapd[3297]: conn=2378 op=0 STARTTLS Feb 19 01:15:57
>> emp01 slapd[3297]: conn=2378 op=0 RESULT oid= err=0 text= Feb 19
>> 01:15:57 emp01 slapd[3297]: conn=2378 fd=48 TLS established 
>> tls_ssf=256 ssf=256 Feb 19 01:15:57 emp01 slapd[3297]: conn=2378
>> op=1 BIND dn="" method=128 Feb 19 01:15:57 emp01 slapd[3297]:
>> conn=2378 op=1 RESULT tag=97 err=0 text= Feb 19 01:15:57 emp01
>> slapd[3297]: conn=2378 op=2 SRCH base="dc=simonandkate,dc=lan"
>> scope=2 deref=0 filter="(objectClass=*)" Feb 19 01:15:57 emp01
>> slapd[3297]: conn=2378 op=2 SEARCH RESULT tag=101 err=0 nentries=44
>> text= Feb 19 01:15:57 emp01 slapd[3297]: conn=2378 op=3 UNBIND Feb
>> 19 01:15:57 emp01 slapd[3297]: conn=2378 fd=48 closed
>> 
>> Yet Horde can't START_TLS.
>> 
>> The CA certificate file on the system is world readable - how does
>> Horde find it?
> 
> Is it installed to the default certificate store? For example, under
> SUSE you put it in  /etc/ssl/certs and run
> 
> c_rehash /etc/ssl/certs/
> 
> 
> - -- 
> Ralf Lang

New cacert.pem is in two places, /etc/openldap/cacerts where openldap config files want it to be (ldap.conf, pam_ldap.conf, nslcd.conf), and in /etc/pki/tls/certs which is the system default for CentOS. 

Same places it was before...and I've run c_rehash. 

I'm assuming that for some reason the php ldap_start_tls function is failing which is what the Horde Ldap.php error is telling me. 

Just not sure why when a system ldapsearch call with no specified cacert location succeeds.

I'm not a php programmer, but may have to see if I can try that command from php cli somehow. Or can you tell me what I can use in Horde's configuration PHP command line screen to test ldap tls?

Simon

More information about the horde mailing list