Message-Id: 202206151625
Time: Thursday 06/30/2022, 5:00 p.m. - 7:00 p.m.
Affected: Applications and services with connection to the OpenLDAP directory service via ldap.gwdg.com/ldap2.gwdg.com
Impact: After the changeover, LDAP clients can only log in with the CA certificate chain of the GÉANT TCS PKI towards ldap.gwdg.de/ldap2.gwdg.de connect via SSL
On Thursday, June 30, 2022, during the maintenance window from 17:00 to 19:00 h on the OpenLDAP servers of the GWDG for ldap.gwdg.de/ldap2.gwdg.de the server certificates will be switched to GÉANT TCS PKI. for ldap.gwdg.de/ldap2.gwdg.de the server certificates will be switched to GÉANT TCS PKI.
Is there a need for action for the LDAP clients?
LDAP clients do not need any conversion if they use the CA certificate chain provided automatically by the OpenLDAP servers. For LDAP clients that require a local deposit of the CA certificate chain, the current DFN PKI certificate chain must be supplemented with the GÉANT TCS PKI certificate chain by June 30, 2022. This is because from then on, such LDAP clients will only be able to successfully connect to the OpenLDAP servers at ldap.gwdg.de/ldap2.gwdg.de via SSL, if the CA certificate chain of the GÉANT TCS PKI has also been integrated.
Where can I get the new GÉANT CA certificate chain?
The new CA certificate chain can be obtained from gwdu60.gwdg.de at /usr/local/etc/openldap/ldap-ca.pem or at https://owncloud.gwdg.de/index.php/s/5npQO2j2OnBqXU2. In this file contains the old and new CA certificate chain to enable a simple changeover on the client side during the transition period. period.
Is there a transition solution?
All LDAP clients can continue to log in using the above file, which contains both CA certificate chains, can continue to connect to the OpenLDAP servers via SSL using the known LDAP load balancing servers ldap.gwdg.de/ldap2.gwdg.de. via SSL successfully. After June 30, the then redundant DFN-CA certificate chain can be removed, and the GWDG will provide a cleaned-up file in July.
To ensure the functionality of the new GÉANT CA certificate chain or the above mentioned file with the combined CA certificate chains can be checked in advance. an LDAP server environment with the GÉANT TCS PKI server certificate has been which can be reached via ldap-geant.gwdg.de can be reached. For LDAP clients that require a CA certificate chain is recommended, to test the authentication via ldap-geant.gwdg.de. authentication via ldap-geant.gwdg.de. After 30.06.2022 ldap-geant.gwdg.de will be identical with ldap.gwdg.de. will be identical.
An early integration of the new CA certificate chain of the GÉANT TCS PKI before June 30, 2022 is recommended!