Bug 1352876

Summary: Change default TLS_CACERTDIR option in /etc/openldap/ldap.conf
Product: [Fedora] Fedora Reporter: Patrik Martinsson <martinsson.patrik>
Component: openldapAssignee: Matus Honek <mhonek>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 24CC: jsynacek, jv+fedora, mhonek, pkis, rmeggins
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-14 15:01:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Patrik Martinsson 2016-07-05 11:10:59 UTC 
Description of problem:

When using tools like 'ldapsearch' they will by default for settings in look in '/etc/openldap/ldap.conf' (owned by the openldap pacakge)
There is a default option in there that says "TLS_CACERTDIR /etc/openldap/certs" which by default makes all the tools not to trust anything (since that catalogue doesn't contain any certificates). 

Wouldn't it be better to make the openldap tools use the "new" (since Fedora 19) "shared system certificate methodology" (https://fedoraproject.org/wiki/Features/SharedSystemCertificates) by pointing the config-file to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem instead ? 

This would be done by changing the option 'TLS_CACERTDIR' to 'TLS_CACERT' and the value from '/etc/openldap/ldap.conf' to '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem'

Please tell me if I'm missing something. 


Version-Release number of selected component (if applicable):


How reproducible:
Always.

Steps to Reproduce:
1. Use the default config and try to do a ldapsearch to a ldap-server that presents a certificate that is "globally trusted" by the "shared system certificate methodology"
2.
3.

Actual results:
ldapsearch answers with -8179:Peer's Certificate issuer is not recognized

Expected results:
Servers certificate should be trusted (as long as it is in the "shared system certificate store".

Additional info:
Comment 1 Matus Honek 2016-09-14 15:01:40 UTC 

*** This bug has been marked as a duplicate of bug 1270678 ***