Message-Id: 202206301802
Time: June 30, 2022 since 5:45 pm
Affected: Applications and services with connection to the OpenLDAP directory service via ldap.gwdg.de/ldap2.gwdg.de
Impact: LDAP clients can only connect via SSL with the CA certificate chain of the GÉANT TCS PKI towards ldap.gwdg.de/ldap2.gwdg.de
Today Thursday, June 30, 2022, during the maintenance window from 17:00 to 17:45 h on the OpenLDAP servers of the GWDG for ldap.gwdg.de/ldap2.gwdg.de the server certificates were switched to GÉANT TCS PKI. for ldap.gwdg.de/ldap2.gwdg.de the server certificates is switched to GÉANT TCS PKI.
Is there a need for action for the LDAP clients?
LDAP clients do not need any conversion if they use the CA certificate chain provided automatically by the OpenLDAP servers. For LDAP clients that require a local deposit of the CA certificate chain, the current DFN PKI certificate chain must be supplemented with the GÉANT TCS PKI certificate chain by June 30, 2022. This is because from then on, such LDAP clients is only be able to successfully connect to the OpenLDAP servers at ldap.gwdg.de/ldap2.gwdg.de via SSL, if the CA certificate chain of the GÉANT TCS PKI has also been integrated.
Where can I get the new GÉANT CA certificate chain?
The new CA certificate chain can be obtained from gwdu60.gwdg.de at /usr/local/etc/openldap/ldap-ca.pem or at https://owncloud.gwdg.de/index.php/s/5npQO2j2OnBqXU2. In this file contains the old and new CA certificate chain to enable a simple changeover on the client side during the transition period. period.
Is there a transition solution?
All LDAP clients can continue to log in using the above file, which contains both CA certificate chains, can continue to connect to the OpenLDAP servers via SSL using the known LDAP load balancing servers ldap.gwdg.de/ldap2.gwdg.de. via SSL successfully. After June 30, the then redundant DFN-CA certificate chain can be removed, and the GWDG will provide a cleaned-up file in July.
To ensure the functionality of the new GÉANT CA certificate chain or the above mentioned file with the combined CA certificate chains can be checked in advance. an LDAP server environment with the GÉANT TCS PKI server certificate has been which can be reached via ldap-geant.gwdg.de can be reached. For LDAP clients that require a CA certificate chain is recommended, to test the authentication via ldap-geant.gwdg.de. After 30.06.2022 ldap-geant.gwdg.de is identical with ldap.gwdg.de.