Bug#979995: There should be a sensible compile time default for the location of the file that contains trusted CA certificates

[Ryan Tandy]

Control: tag -1 moreinfo

Hello,

On Tue, Jan 12, 2021 at 07:04:41PM +0100, Andreas Metzler wrote:
>On 2021-01-12 Andras Korn <korn-debbugs at elan.rulez.org> wrote:
>> I think I shouldn't need to specify `ldap_tls_cacert =
>> /etc/ssl/certs/ca-certificates.crt` when using a Debian package, since
>> this is the default location of trusted CA certificates in Debian.
>> Configuration should only be necessary for non-default setups.

The libldap-common package ships a default /etc/ldap/ldap.conf which 
contains exactly this default TLS_CACERT value. It should be picked up 
automatically by programs using the library. If sssd does something to 
override that, I don't think libldap can be blamed.

>GnuTLS offers a sane compile default for the trust store (See
>gnutls_x509_trust_list_add_system_trust()), which can be used by the
>application. - I have therefore retitled the bug.
>
>From the upstream bug report:
>2021-01-12 17:52:00.657730500 [be[ldap]] [sss_ldap_debug] (0x4000): libldap: TLS: warning: cacertdir not implemented for gnutls
>
>GnuTLS has supported using a directory instead of a file since version
>3.3.6 (released 2014-07-23), so it looks like a missing thing in libldap.

There are two things here:

1. libldap 2.4.x indeed does not support TLS_CACERTDIR when linked with 
GnuTLS. This is fixed in the 2.5 branch. (ITS#8155)

2. It is intentional by upstream that *no* CA certificates are used when 
there is no explicit TLS_CACERT or TLS_CACERTDIR configured. There's 
some discussion about this in ITS#5582. (Bearing in mind that in Debian 
we *do* configure a default TLS_CACERT in ldap.conf).

<https://bugs.openldap.org/show_bug.cgi?id=5582>

Is there still something you think needs to be changed or fixed in the 
libldap package?

thanks,
Ryan