Red Hat Bugzilla – Bug 1255651
[SSL] Use system trusted CA store by default
Last modified: 2016-02-19 10:22:46 EST
Currently /etc/openldap/ldap.conf has the following reference to trust store:
This is a specific store for openldap in openssl's certdir format. By default this directory is empty, ldapsearch and other utilities cannot be used to access ssl/startTLS servers with valid system wide trusted certificate chains.
ca-certificates package provide update-ca-trust utility to manage the system trust, for openssl it manages /etc/pki/tls/certs/ca-bundle.crt (/etc/ssl/certs which is symlink to /etc/pki/tls/certs), openldap uses openssl.
openldap package can be integrated to use this system wide store by adding the following into /etc/openldap/ldap.conf:
This will have the impact of using the trust provided by system in addition to what exists in /etc/openldap/cacerts.
Integrating openldap into the system wide trust by default will enable easier and more secure management of system trust.
We do not want to make changes like this that break backwards compatability for upgrades. Closing as WONTFIX.