Bug#979995: There should be a sensible compile time default for the location of the file that contains trusted CA certificates
Ryan Tandy
ryan at nardis.ca
Tue Jan 12 18:47:22 GMT 2021
Control: tag -1 moreinfo
Hello,
On Tue, Jan 12, 2021 at 07:04:41PM +0100, Andreas Metzler wrote:
>On 2021-01-12 Andras Korn <korn-debbugs at elan.rulez.org> wrote:
>> I think I shouldn't need to specify `ldap_tls_cacert =
>> /etc/ssl/certs/ca-certificates.crt` when using a Debian package, since
>> this is the default location of trusted CA certificates in Debian.
>> Configuration should only be necessary for non-default setups.
The libldap-common package ships a default /etc/ldap/ldap.conf which
contains exactly this default TLS_CACERT value. It should be picked up
automatically by programs using the library. If sssd does something to
override that, I don't think libldap can be blamed.
>GnuTLS offers a sane compile default for the trust store (See
>gnutls_x509_trust_list_add_system_trust()), which can be used by the
>application. - I have therefore retitled the bug.
>
>From the upstream bug report:
>2021-01-12 17:52:00.657730500 [be[ldap]] [sss_ldap_debug] (0x4000): libldap: TLS: warning: cacertdir not implemented for gnutls
>
>GnuTLS has supported using a directory instead of a file since version
>3.3.6 (released 2014-07-23), so it looks like a missing thing in libldap.
There are two things here:
1. libldap 2.4.x indeed does not support TLS_CACERTDIR when linked with
GnuTLS. This is fixed in the 2.5 branch. (ITS#8155)
2. It is intentional by upstream that *no* CA certificates are used when
there is no explicit TLS_CACERT or TLS_CACERTDIR configured. There's
some discussion about this in ITS#5582. (Bearing in mind that in Debian
we *do* configure a default TLS_CACERT in ldap.conf).
<https://bugs.openldap.org/show_bug.cgi?id=5582>
Is there still something you think needs to be changed or fixed in the
libldap package?
thanks,
Ryan
More information about the Pkg-openldap-devel
mailing list