Bug#979995: There should be a sensible compile time default for the location of the file that contains trusted CA certificates

[Andras Korn]

On Tue, Jan 12, 2021 at 10:47:22AM -0800, Ryan Tandy wrote:

> > On 2021-01-12 Andras Korn <korn-debbugs at elan.rulez.org> wrote:
> > > I think I shouldn't need to specify `ldap_tls_cacert =
> > > /etc/ssl/certs/ca-certificates.crt` when using a Debian package, since
> > > this is the default location of trusted CA certificates in Debian.
> > > Configuration should only be necessary for non-default setups.
> 
> The libldap-common package ships a default /etc/ldap/ldap.conf which
> contains exactly this default TLS_CACERT value. It should be picked up
> automatically by programs using the library. If sssd does something to
> override that, I don't think libldap can be blamed.

OK, looking further, part of the problem is that I didn't have
libldap-common installed, thus no /etc/ldap/ldap.conf.

Since this (and the accompanying manpage) is all that libldap-common
contains: what's the rationale for having these in a separate package?

The libldap package only Recommends libldap-common (which is why I didn't
have it); however, it is libldap-common that enables the sensible defaults.

Why shouldn't libldap come with the sensible defaults itself?

András

-- 
          For Sale: parachute, used once, never opened, small stain.