Bug 146815
| Summary: | Wrong tls entry ldap.conf | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | dijuremo <dijuremo> |
| Component: | openldap | Assignee: | Jay Fenlason <fenlason> |
| Status: | CLOSED RAWHIDE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | jfeeney, mail, mattdm, nalin |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2006-09-18 19:05:36 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
dijuremo
2005-02-01 20:42:02 UTC
*** Bug 146985 has been marked as a duplicate of this bug. *** This bug still exists in FC5. Fedora Core 3 is now maintained by the Fedora Legacy project for security updates only. If this problem is a security issue, please reopen and reassign to the Fedora Legacy product. If it is not a security issue and hasn't been resolved in the current FC5 updates or in the FC6 test release, reopen and change the version to match. Thank you! As mentioned the bug is still there in FC5 updates (openldap-2.3.19-4). The file /etc/ldap.conf is not consistent with the ldap.conf manpage at least, which also mentions the option TLS_CACERT (and does not contain TLS_CACERTFILE). I would like to change version to "fc5" but I am not allowed to. Can someone else do that please? I do not want to file a new bug for an old problem. Thanks, I'll change it. I'm actually going to move it to devel, because it seems more likely to get fixed there than to receive an actual pacakge errata. (clearing "needinfo" bit.) Note that /etc/ldap.conf is part of the nss_ldap subsystem,
while /etc/openldap/ldap.conf is part of OpenLDAP. And they have somewhat
different syntaxes, just to make life annoying. /etc/ldap.conf is documented
in the nss_ldap(5) man page, which says
tls_cacertdir <certificate_dir>
Specifies the directory containing X.509 certificates for peer
authentication.
tls_cacertfile <certificate_file>
Specifies the path to the X.509 certificate for peer authentica-
tion.
/etc/ldap.conf is normally only used by nss_ldap, which is enabled by
including "ldap" on one or more of the database lines in /etc/nsswitch.conf
/etc/openldap/ldap.conf is documented in the ldap.conf(5) man page, which says
TLS_CACERT <filename>
Specifies the file that contains certificates for all of the
Certificate Authorities the client will recognize.
TLS_CACERTDIR <path>
Specifies the path of a directory that contains Certificate
Authority certificates in separate individual files. The
TLS_CACERT is always used before TLS_CACERTDIR.
ldapsearch is supposed to use /etc/openldap/ldap.conf, not /etc/ldap.conf. We
need to find out why your ldapsearch commands are using /etc/ldap.conf. Do
you have any of the LDAP* (LDAPCONF, LDAPRC, etc) environment variables set?
(In reply to comment #7) > Note that /etc/ldap.conf is part of the nss_ldap subsystem, > while /etc/openldap/ldap.conf is part of OpenLDAP. And they have somewhat > different syntaxes, just to make life annoying. Interesting. Thank you for pointing this out. Maybe there should be a hint (where to find the correct manpage) added to /etc/ldap.conf. What do you think? Current rawhide has reasonable comments explaining which manpages describe which ldap.conf files, so I'm closing this. |