Bug 146985

Summary: Wrong tls entry ldap.conf
Product: [Fedora] Fedora Reporter: dijuremo <dijuremo>
Component: openldapAssignee: Jay Fenlason <fenlason>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3CC: jfeeney, walt
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-08-30 09:23:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description dijuremo 2005-02-03 12:20:35 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041111 Firefox/1.0

Description of problem:
The sample ldap.conf file in /etc/ldap.conf has the entry:

#tls_cacertfile /etc/ssl/ca.cert

However, tls_cacertfile is not a valid option for ldap.conf

The correct entry should be:

tls_cacert /etc/ssl/ca.cert

This is also seen in other versions including RHEL 4 Beta 2.

Diego

Version-Release number of selected component (if applicable):
openldap-2.2.13-2

How reproducible:
Always

Steps to Reproduce:
1. Using the default tls_cacertfile /etc/ssl/ca.cert:

% grep -v ^# /etc/ldap.conf | uniq
base dc=ibb,dc=gatech,dc=edu
uri ldap://ldap.ibb.gatech.edu
ssl start_tls
tls_reqcert demand
tls_checkpeer yes
tls_cacertfile /etc/ssl/cacert.pem
tls_cacertdir /etc/ssl/certs

Now the query:

%ldapsearch -x -v -ZZ -h ldap.ibb.gatech.edu -b
dc=ibb,dc=gatech,dc=edu 'uid=dr126'
ldap_initialize( ldap://ldap.ibb.gatech.edu )
ldap_start_tls: Connect error (-11)

2. Modifying ldap.conf with tls_cacert /etc/ssl/cacert.pem

% grep -v ^# /etc/ldap.conf | uniq
base dc=ibb,dc=gatech,dc=edu
uri ldap://ldap.ibb.gatech.edu
ssl start_tls
tls_reqcert demand
tls_checkpeer yes
tls_cacert /etc/ssl/cacert.pem
tls_cacertdir /etc/ssl/certs

Now the query:

%ldapsearch -x -v -ZZ -h ldap.ibb.gatech.edu -b
dc=ibb,dc=gatech,dc=edu 'uid=dr126'
ldap_initialize( ldap://ldap.ibb.gatech.edu )
filter: uid=dr126
requesting: ALL
# extended LDIF
#
# LDAPv3
# base <dc=ibb,dc=gatech,dc=edu> with scope sub
# filter: uid=dr126
# requesting: ALL
#

# dr126, People, ibb.gatech.edu
dn: uid=dr126,ou=People,dc=ibb,dc=gatech,dc=edu
uid: dr126
cn: Diego Julian Remolina
givenName: Diego Julian
sn: Remolina
mail: dr126.edu
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 500
homeDirectory: /home/dr126
gecos: Diego Julian Remolina

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1


Additional info:
Comment 1 Walter Justen 2005-08-30 09:23:58 UTC 
Thanks for the bug report. This particular bug has already been reported
into our bug tracking system, but please feel free to report any further
bugs you find.

*** This bug has been marked as a duplicate of 146815 ***