Bug#979995: There should be a sensible compile time default for the location of the file that contains trusted CA certificates

[Ryan Tandy]

On Wed, Jan 13, 2021 at 01:27:52PM +0100, Andras Korn wrote:
>Can you somehow make the library complain very loudly when an attempt 
>is made to use CACERTDIR, but the setting is ignored?

This is not sarcastic, but a good faith question: if it had printed 
something to stderr, would you have seen it? I don't think I have any 
way to make something appear in (for example) sssd's own log file.

In fact, it does already log a warning, but I suppose most applications 
using the library probably don't enable any log level.

https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_4/libraries/libldap/tls_g.c#L187-190

On Wed, Jan 13, 2021 at 01:44:07PM +0100, Andras Korn wrote:
>OK, looking further, part of the problem is that I didn't have
>libldap-common installed, thus no /etc/ldap/ldap.conf.
>
>Since this (and the accompanying manpage) is all that libldap-common
>contains: what's the rationale for having these in a separate package?

Policy 8.2: "If your package contains files whose names do not change 
with each change in the library shared object version, you must not put 
them in the shared library package."

https://bugs.debian.org/330695

>The libldap package only Recommends libldap-common (which is why I didn't
>have it); however, it is libldap-common that enables the sensible defaults.
>
>Why shouldn't libldap come with the sensible defaults itself?

It's your decision whether to install Recommends or not, but AFAIK it's 
generally not considered a bug if some feature or behaviour is missing 
when Recommends are not installed.

Why isn't the default in the code of libldap → this is upstream's 
decision, and I won't introduce a Debian-local change to override it, 
sorry.

Why isn't the config file shipped in the libldap package → see above.

hope this helps,
Ryan