More on SSL and LDAP in Leopard

Posted in Leopard, Mac OS X, Security, System Administration on 12/04/2007 12:55 pm by jmccune

DirectoryJoel just posted a great article titled SSL and LDAP in Leopard about the pitfalls of using SSL secured LDAP servers in Leopard. As Joel mentions, Leopard now refuses to trust any and all SSL protected LDAP servers out of the box.

A few people have complained that Directory.app, and the the LDAPv3 plugin for DirectoryService don’t honor the same purchased certificates that work just fine in their web browsers. Nor do they honor certificates signed by authorities listed in the x509Anchors keychain.

I’m not sure exactly where I personally stand on these very reasonable gripes, but I do know that it’s relatively trivial to configure all of your clients to honor “legitimate” certificates signed by authorities such as VeriSign, GeoTrust, etc…

It’s as simple as:

echo "TLS_CACERT /usr/share/curl/curl-ca-bundle.crt" >> \
  /etc/openldap/ldap.conf

You may need to give DirectoryService a kick, with killall DirectoryService.

This works because Apple already distributes a long PEM encoded list of certificate authorities for use with the curl command line utility. We’re able to leverage it’s trusted certificate store.

Also be warned your Leopard workstations are now slightly more vulnerable than if you were to configure only the certification authorities you need to get your LDAP server trusted.

Tags: , , , ,  

8 Comments

  1. Joe
    12/05/2007 at 10:55 am

    Thanks for posting this!

  2. Jeff McCune
    12/06/2007 at 2:35 pm

    You’re welcome. Thanks for the feedback.

  3. Jeff
    12/07/2007 at 6:00 pm

    Thank you! the AFP548 article was good, but this seems like an easier and faster fix.

  4. Damian
    01/08/2008 at 8:37 am

    Great tip, but how do we do this for iChat (Jabber2) server as well?!

    -Damian

  5. Mark
    01/21/2008 at 2:03 pm

    It appears that godaddy’s cert is not in the file. Bummer as I have my certs signed by them. Their cert is in Keychain x509 though.

    cat /usr/share/curl/curl-ca-bundle.crt | grep -i daddy

    returns no results.

  6. Anthony
    03/19/2008 at 3:41 pm

    I am new to Terminal, is that command on this page all one line?

  7. Jeff McCune
    03/20/2008 at 4:49 pm

    @Anthony

    Yes, The trailing \ on the first line tells the interpreter to ignore the next newline character.

  8. Todd
    03/20/2008 at 6:53 pm

    For GoDaddy users, it may help to get a more current PEM extract file from here:

    http://curl.haxx.se/docs/caextract.html

    This worked for me to establish secure LDAP connections to an AD LDAP server using a GoDaddy certificate.

Leave a comment

You must be logged in to post a comment.

« Sleep Display Script | Secure Portable Flash Drives with Mac OS X »