Bug 1270678

Summary: [SSL] Use system trusted CA store by default
Product: [Fedora] Fedora Reporter: Alon Bar-Lev <alonbl>
Component: openldapAssignee: Matus Honek <mhonek>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 27CC: akostadi, jsynacek, jv+fedora, martinsson.patrik, mhonek, phracek, pkis, rmeggins
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openldap-2.4.45-11.fc28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-21 16:58:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1249781, 1255651    

Description Alon Bar-Lev 2015-10-12 06:34:35 UTC 
Currently /etc/openldap/ldap.conf has the following reference to CA store:

  TLS_CACERTDIR /etc/openldap/cacerts

This is a specific store for openldap in openssl's nss certdir. By default this directory has an empty database.

# certutil -L -d /etc/openldap/certs/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
ldapsearch and other utilities cannot be used to access ssl/startTLS servers with valid system wide trusted certificate chains.

ca-certificates package provide update-ca-trust utility to manage the system trust, for openssl it manages /etc/pki/tls/certs/ca-bundle.crt (/etc/ssl/certs which is symlink to /etc/pki/tls/certs),  openldap uses openssl.

openldap package can be integrated to use this system wide store by adding the following into /etc/openldap/ldap.conf:

  TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt

Or by updating ca-certificates package to also manage nss store in addition to openssl.

Integrating openldap into the system wide trust by default will enable easier and more secure management of system trust.
Comment 2 Fedora End Of Life 2016-07-19 18:11:08 UTC 
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 3 Matus Honek 2016-09-14 14:59:42 UTC 
This is correct. We should implement this (per https://fedoraproject.org/wiki/Features/SharedSystemCertificates). I am changing bug's version to RAWHIDE as it should not change already established defaults.
Comment 4 Matus Honek 2016-09-14 15:01:40 UTC 
*** Bug 1352876 has been marked as a duplicate of this bug. ***
Comment 5 Fedora End Of Life 2017-02-28 09:49:46 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle.
Changing version to '26'.
Comment 6 Matus Honek 2017-04-07 10:18:11 UTC 
*** Bug 1426177 has been marked as a duplicate of this bug. ***
Comment 7 Jan Kurik 2017-08-15 09:01:47 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.
Comment 8 Matus Honek 2018-02-21 16:58:57 UTC 
https://src.fedoraproject.org/rpms/openldap/c/bdec46fdafce949b88f36cb2055e1ec3f2c721f4?branch=master