LDAP /AD authentication Certificate issue

[Psihawk]

I am trying to setup LDAP auth and attempting to import our cert via the GUI.. When I try it tells me the cert is already there (I have never imported so if someone did its years old and expired). Does anyone know where I can find this cert? The GUI shows no certs imported. I have checked /etc/openldap/cacerts and certs and see nothing in those directores other than in the certs which shows
cert8.db
key3.db
password
secmod.db

Any help is appreciated.

[lgute]

Hi @Psihawk, thanks for reaching out.

Could you give us a bit more information, OS/Version and version of XI? Also please post any error messages from the GUI or log files.

The list that displays in the UI is from the database and sounds like it may be out of sync with the filesystem.

The certs may be stored in the following locations.

Code: Select all

    "/etc/ldap/certs"
    "/etc/ldap/cacerts"
 or
    "/etc/openldap/certs"
    "/etc/openldap/cacerts"

[Psihawk]

Installed version

2024R1.0.1

OS - CentOS Linux 7
Kernel 3.10.0-1160.105.1.e17.x86_64

/etc/ldap doesnt exist. The /etc/openldap/certs does

[Psihawk]

Any update to this?

[swolf]

Hi @Psihawk,

Can you list the entries in /etc/openldap/cacerts, especially any symlinks? The backend is doing a manual equivalent of `openssl rehash`, and it'll remove your certificate if thinks there's already a valid link. My guess at this point is that there's a symlink that is normally dead (wasn't cleaned up properly at some previous time), which becomes "live" after you upload the certificate. When it sees that there's already a live cacert symlink matching your certificate, it then deletes the uploaded certificate, making the symlink invalid again.

If that does turn out to be the root cause, I think we can work around it in a future maintenance release. Let me know what you find!

-Sebastian

[Psihawk]

That directory is empty

The certs directory \\etc\openldap\certs has what is in the attachment on here.

certs.png