Description of problem: When using tools like 'ldapsearch' they will by default for settings in look in '/etc/openldap/ldap.conf' (owned by the openldap pacakge) There is a default option in there that says "TLS_CACERTDIR /etc/openldap/certs" which by default makes all the tools not to trust anything (since that catalogue doesn't contain any certificates). Wouldn't it be better to make the openldap tools use the "new" (since Fedora 19) "shared system certificate methodology" (https://fedoraproject.org/wiki/Features/SharedSystemCertificates) by pointing the config-file to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem instead ? This would be done by changing the option 'TLS_CACERTDIR' to 'TLS_CACERT' and the value from '/etc/openldap/ldap.conf' to '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem' Please tell me if I'm missing something. Version-Release number of selected component (if applicable): How reproducible: Always. Steps to Reproduce: 1. Use the default config and try to do a ldapsearch to a ldap-server that presents a certificate that is "globally trusted" by the "shared system certificate methodology" 2. 3. Actual results: ldapsearch answers with -8179:Peer's Certificate issuer is not recognized Expected results: Servers certificate should be trusted (as long as it is in the "shared system certificate store". Additional info:
*** This bug has been marked as a duplicate of bug 1270678 ***