Bug#979995: There should be a sensible compile time default for the location of the file that contains trusted CA certificates

Andras Korn korn-debbugs at elan.rulez.org
Wed Jan 13 12:27:52 GMT 2021 

On Tue, Jan 12, 2021 at 10:47:22AM -0800, Ryan Tandy wrote:

Hi,

thanks for clearing up some misunderstandings.

> On Tue, Jan 12, 2021 at 07:04:41PM +0100, Andreas Metzler wrote:
> > On 2021-01-12 Andras Korn <korn-debbugs at elan.rulez.org> wrote:
> > > I think I shouldn't need to specify `ldap_tls_cacert =
> > > /etc/ssl/certs/ca-certificates.crt` when using a Debian package, since
> > > this is the default location of trusted CA certificates in Debian.
> > > Configuration should only be necessary for non-default setups.
> 
> The libldap-common package ships a default /etc/ldap/ldap.conf which
> contains exactly this default TLS_CACERT value. It should be picked up
> automatically by programs using the library. If sssd does something to
> override that, I don't think libldap can be blamed.
> 
> > GnuTLS offers a sane compile default for the trust store (See
> > gnutls_x509_trust_list_add_system_trust()), which can be used by the
> > application. - I have therefore retitled the bug.
> > 
> > From the upstream bug report:
> > 2021-01-12 17:52:00.657730500 [be[ldap]] [sss_ldap_debug] (0x4000): libldap: TLS: warning: cacertdir not implemented for gnutls
> > 
> > GnuTLS has supported using a directory instead of a file since version
> > 3.3.6 (released 2014-07-23), so it looks like a missing thing in libldap.
> 
> There are two things here:
> 
> 1. libldap 2.4.x indeed does not support TLS_CACERTDIR when linked with
> GnuTLS. This is fixed in the 2.5 branch. (ITS#8155)
> 
> 2. It is intentional by upstream that *no* CA certificates are used when
> there is no explicit TLS_CACERT or TLS_CACERTDIR configured. There's some
> discussion about this in ITS#5582. (Bearing in mind that in Debian we *do*
> configure a default TLS_CACERT in ldap.conf).
> 
> <https://bugs.openldap.org/show_bug.cgi?id=5582>
> 
> Is there still something you think needs to be changed or fixed in the
> libldap package?

I'm not sure. Can you somehow make the library complain very loudly when an attempt is made to use CACERTDIR, but the setting is ignored?

The sssd issue was very hard to trobuleshoot because initially all I saw after a dist-upgrade was "unknown error".

AndrĂ¡s

-- 
   If debugging is removing bugs, then programming must be putting them in.

More information about the Pkg-openldap-devel mailing list