Red Hat Bugzilla – Bug 1027796
tls_reqcert try has bad behavior
Last modified: 2015-03-02 00:28:21 EST
The same problem on rhel 6, tested with openldap-2.4.23-32.el6_4.1 +++ This bug was initially created as a clone of Bug #1027613 +++ Description of problem: 'tls_reqcert try' option has bad behavior on client side. It should allow connection if certificate is not specified. man page says: try The server certificate is requested. If no cer‐ tificate is provided, the session proceeds nor‐ mally. If a bad certificate is provided, the ses‐ sion is immediately terminated. Version-Release number of selected component (if applicable): openldap-2.4.35-6.el7 How reproducible: always Steps to Reproduce: 1.Setup ldap server with certificates 2.remove all TLS_CACERT and TLS_CACERTDIR from /etc/openldap/ldap.conf 3.set TLS_REQCERT try to /etc/openldap/ldap.conf 4. try ldapsearch -ZZ -x -H ldap://<server_name> '*' Actual results: ldapsearch fail: ldap_start_tls: Connect error (-11) additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. Expected results: ldapsearch should pass Additional info: --- Additional comment from David Spurek on 2013-11-07 03:37:52 EST --- if TLS_REQCERT allow is set then ldapsearch pass. TLS_REQCERT try and allow should have the same behavior in case if no ca cert is specified (according to description in man ldap.conf).
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1426.html