Description of problem: When using a TLS server, then system CA certificates trust is not used: > $ ldapsearch -D "uid=myuid,ou=serviceaccounts,dc=example,dc=com" -h ldap.corp.example.com -b "dc=example,dc=com" -W -x "(uid=myuid)" -ZZ -d 255 > ... > TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly > TLS: cannot open certdb '/etc/openldap/certs', error -8018:Unknown PKCS #11 error. > ... I tried changing ldap.conf to > TLS_CACERT /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt But I still cannot get it working. I see: > ... > TLS: error: connect - force handshake failure: errno 2 - moznss error -8054 > additional info: TLS error -8054:You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. ldap_free_connection 1 1 > ... Version-Release number of selected component (if applicable): ldapsearch 2.4.44 How reproducible: always
It turns out default configuration is not working well for users. If I put this in ldap.conf: > TLS_CACERT /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem Then things start to be working fine. The default option is: > TLS_CACERTDIR /etc/openldap/certs And that dir by default is empty. I think it makes more sense to update the default to the system CA trust store.
Thanks for reporting this. However, the change of default CA certificate path is proposed in bug 1270678. Thus, I am closing this as a DUPLICATE. *** This bug has been marked as a duplicate of bug 1270678 ***