LDAP-over-TLS cannot connect to ActiveDirectory

Originator:realvnc
Number:rdar://30442335 Date Originated:09-Feb-2017 03:09 PM
Status:Closed Resolved:
Product:macOS + SDK Product Version:Sierra
Classification: Reproducible:
 
Area:
Something not on this list

Summary:
Apple ships a modified version of OpenLDAP (available at opensource.apple.com) - in this modified version, SecureTransport is used for making TLS connections to perform an LDAP query.

When making an LDAP query over TLS, the modified OpenLDAP fails to validate correct (valid) server certificates if the subject name is empty. Since ActiveDirectory Domain Controllers issue server certificates with empty subject name, this prevents LDAP queries from being run against ActiveDirectory.

Since ActiveDirectory is the most widely-used LDAP server, this is affecting our customers (our application performs LDAP queries).

The problem can be reproduced on the commandline using "ldapsearch" to query an ActiveDirectory LDAP server.

Another user (Graham Wells) has previously encountered this issue, since I found a mailing list query in the OpenLDAP mailing list, however they correctly pointed out that the problem is in Apple's changes to OpenLDAP (http://www.openldap.org/its/index.cgi/Incoming?id=8532;page=131;statetype=-1).
I do not know if the issue was ever reported to Apple, since the bugtracker is not searchable.

Steps to Reproduce:
Run the following command, replacing YOUR_DC with a Domain Controller:

ldapsearch -d 5 -v -H ldaps://dc1.YOUR_DC.com -v -b CN=Users,DC=YOUR_DC_HERE '(userPrincipalName=test)'

Note that the following line has been added to /etc/openldap/ldap.conf, and the given certificate has been added to the Keychain:

TLS_TRUSTED_CERTS realvnc-DC1-CA

(Although the syntax for TLS_TRUSTED_CERTS is barely-documented, I know that this certificate has been found because if I set TLS_TRUSTED_CERTS to the string "bogus" a different error is returned.)

Expected Results:
I expect ldapsearch to connect to the server, since the TLS certificate is valid.

Actual Results:
An error is printed (full log attached, along with the problematic server certificate).

Version:
Tested on Sierra. OpenLDAP build (ldapsearch -V):
@(#) $OpenLDAP: ldapsearch 2.4.28 (Aug 29 2016 19:00:23) $
root@osx300.apple.com:/Library/Caches/com.apple.xbs/Binaries/OpenLDAP/OpenLDAP-523.30.2~8/TempContent/Objects/clients/tools

Notes:


Configuration:
All macOS configurations

Attachments:
'server-cert.pem' and 'ldapsearch-log.txt' were successfully uploaded.

Comments

Apple Developer Relations, 30-Mar-2017 07:05 AM

Engineering has provided the following feedback regarding this issue:

This certificate is not valid because it has an empty subject name.

By realvnc at May 9, 2017, 10:02 a.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!