Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1131094

Summary: update description in slapd.conf for NSS database related options
Product: Red Hat Enterprise Linux 6 Reporter: David Spurek <dspurek>
Component: openldapAssignee: Matus Honek <mhonek>
Status: CLOSED ERRATA QA Contact: Stefan Dordevic <sdordevi>
Severity: low Docs Contact:
Priority: low    
Version: 6.6CC: nkinder, pkis, sdordevi, skremen
Target Milestone: rcKeywords: Documentation
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openldap-2.4.40-10.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-11 00:59:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Spurek 2014-08-18 13:03:02 UTC 
Description of problem:
update TLSCACertificatePath, TLSCertificateKeyFile and TLSCertificateFile options in slapd.conf man page in the same way as their 'olc' prefixed variants in slapd-config man page. Mozilla NSS values description is missing.

Version-Release number of selected component (if applicable):
openldap-2.4.39-8.el6

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Here is the description for these options from slapd-config:

       olcTLSCACertificatePath: <path>
              Specifies  the  path  of  a  directory that contains Certificate
              Authority certificates in  separate  individual  files.  Usually
              only  one  of this or the olcTLSCACertificateFile is defined. If
              both are specified, both locations will be used. This  directive
              is not supported when using GNUtls.

              When  using  Mozilla  NSS,  <path>  may  contain  a  Mozilla NSS
              cert/key database.  If <path> contains a  Mozilla  NSS  cert/key
              database  and  CA  cert  files,  OpenLDAP  will use the cert/key
              database and will ignore the CA cert files.

       olcTLSCertificateFile: <filename>
              Specifies the file that contains the slapd server certificate.

              When using Mozilla NSS, if using a cert/key database  (specified
              with  olcTLSCACertificatePath),  olcTLSCertificateFile specifies
              the name of the certificate to use:
                   olcTLSCertificateFile: Server-Cert
              If using a token other than the internal built in token, specify
              the token name first, followed by a colon:
                   olcTLSCertificateFile: my hardware device:Server-Cert
              Use certutil -L to list the certificates by name:
                   certutil -d /path/to/certdbdir -L

       olcTLSCertificateKeyFile: <filename>
              Specifies  the  file  that contains the slapd server private key
              that matches the certificate stored in the olcTLSCertificateFile
              file. If the private key is protected with a password, the pass-
              word must be manually typed in when slapd starts.   Usually  the
              private  key is not protected with a password, to allow slapd to
              start without manual intervention, so it is of  critical  impor-
              tance that the file is protected carefully.

              When  using  Mozilla NSS, olcTLSCertificateKeyFile specifies the
              name of a file that contains the password for the  key  for  the
              certificate  specified  with olcTLSCertificateFile.  The modutil
              command can be used to turn  off  password  protection  for  the
              cert/key  database.   For  example,  if  olcTLSCACertificatePath
              specifes /etc/openldap/certdb as the location  of  the  cert/key
              database,  use  modutil  to  change  the  password  to the empty
              string:
                   modutil -dbdir /etc/openldap/certdb -changepw ’NSS Certificate DB’
              You must have the old password,  if  any.   Ignore  the  WARNING
              about  the running browser.  Press ’Enter’ for the new password.
Comment 7 errata-xmlrpc 2016-05-11 00:59:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0943.html