Red Hat Bugzilla – Bug 1027613
tls_reqcert try has bad behavior
Last modified: 2015-03-05 08:35:25 EST
Description of problem:
'tls_reqcert try' option has bad behavior on client side. It should allow connection if certificate is not specified.
man page says:
try The server certificate is requested. If no cer‐
tificate is provided, the session proceeds nor‐
mally. If a bad certificate is provided, the ses‐
sion is immediately terminated.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.Setup ldap server with certificates
2.remove all TLS_CACERT and TLS_CACERTDIR from /etc/openldap/ldap.conf
3.set TLS_REQCERT try to /etc/openldap/ldap.conf
4. try ldapsearch -ZZ -x -H ldap://<server_name> '*'
ldap_start_tls: Connect error (-11)
additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
ldapsearch should pass
if TLS_REQCERT allow is set then ldapsearch pass. TLS_REQCERT try and allow should have the same behavior in case if no ca cert is specified (according to description in man ldap.conf).
First observation: TLS_REQCERT has no effect if you use ldapsearch with -Z[Z]. This probably works as it should, see http://www.openldap.org/its/index.cgi?findid=7206.
I couldn't configure the server so it "provides no certificate" and connect to it using the ldapsearch client.
The manpage is talking about server certificates, TLS_CACERT and TLS_CACERTDIR are CA certificates that the client should use, therefore removing them is not relevant.
Upstream discussion at http://www.openldap.org/lists/openldap-technical/201311/msg00099.html.
Conclusion: the manpage should be fixed.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.