LDAPS, certificate not correctly added
Posted: Sat Aug 22, 2020 9:00 am
Hi,
When adding a new trusted certificate through nagiosxi/includes/components/ldap_ad_integration/manage.php on NagiosXI 5.6.12 the symlink created in /etc/openldap/cacerts doesn't use the hashed name of the certificate as mandated by man ldap.conf, in the section on TLS_CACERTDIR.
This prevents the certificates from being read when connecting to the LDAPS-server (at least on our machine, running CentOS 7).
This can be fixed by uncommenting line 101 of ldap_ad_integration/ajax.php and changing line 126 to refer to the $hash variable.
I suppose this undoes the fix for allowing upload of multiple certificates with same subject, as mentioned in the changelog for XI 5.6.11.
A better fix would probably be to use c_rehash, found in package openssl-perl (at least on CentOS 7). According to its manpage, this tool should correctly handle the case where multiple certificates use the same subject.
This bug is also present in XI 5.7.2.
When adding a new trusted certificate through nagiosxi/includes/components/ldap_ad_integration/manage.php on NagiosXI 5.6.12 the symlink created in /etc/openldap/cacerts doesn't use the hashed name of the certificate as mandated by man ldap.conf, in the section on TLS_CACERTDIR.
This prevents the certificates from being read when connecting to the LDAPS-server (at least on our machine, running CentOS 7).
This can be fixed by uncommenting line 101 of ldap_ad_integration/ajax.php and changing line 126 to refer to the $hash variable.
I suppose this undoes the fix for allowing upload of multiple certificates with same subject, as mentioned in the changelog for XI 5.6.11.
A better fix would probably be to use c_rehash, found in package openssl-perl (at least on CentOS 7). According to its manpage, this tool should correctly handle the case where multiple certificates use the same subject.
This bug is also present in XI 5.7.2.