Bug 1255651

Summary: [SSL] Use system trusted CA store by default
Product: Red Hat Enterprise Linux 7 Reporter: Alon Bar-Lev <alonbl>
Component: openldapAssignee: Matus Honek <mhonek>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: low Docs Contact:
Priority: low    
Version: 7.0CC: ebenes, iheim, kseifried, nkinder, pkis
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-19 15:22:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1270678    
Bug Blocks: 1255621    

Description Alon Bar-Lev 2015-08-21 09:18:11 UTC 
Currently /etc/openldap/ldap.conf has the following reference to trust store:

  TLS_CACERTDIR /etc/openldap/cacerts

This is a specific store for openldap in openssl's certdir format. By default this directory is empty, ldapsearch and other utilities cannot be used to access ssl/startTLS servers with valid system wide trusted certificate chains.

ca-certificates package provide update-ca-trust utility to manage the system trust, for openssl it manages /etc/pki/tls/certs/ca-bundle.crt (/etc/ssl/certs which is symlink to /etc/pki/tls/certs),  openldap uses openssl.

openldap package can be integrated to use this system wide store by adding the following into /etc/openldap/ldap.conf:

  TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt

This will have the impact of using the trust provided by system in addition to what exists in /etc/openldap/cacerts.

Integrating openldap into the system wide trust by default will enable easier and more secure management of system trust.
Comment 4 Nathan Kinder 2016-02-19 15:22:46 UTC 
We do not want to make changes like this that break backwards compatability for upgrades.  Closing as WONTFIX.