From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041111 Firefox/1.0 Description of problem: The sample ldap.conf file in /etc/ldap.conf has the entry: #tls_cacertfile /etc/ssl/ca.cert However, tls_cacertfile is not a valid option for ldap.conf The correct entry should be: tls_cacert /etc/ssl/ca.cert This is also seen in other versions including RHEL 4 Beta 2. Diego Version-Release number of selected component (if applicable): openldap-2.2.13-2 How reproducible: Always Steps to Reproduce: 1. Using the default tls_cacertfile /etc/ssl/ca.cert: % grep -v ^# /etc/ldap.conf | uniq base dc=ibb,dc=gatech,dc=edu uri ldap://ldap.ibb.gatech.edu ssl start_tls tls_reqcert demand tls_checkpeer yes tls_cacertfile /etc/ssl/cacert.pem tls_cacertdir /etc/ssl/certs Now the query: %ldapsearch -x -v -ZZ -h ldap.ibb.gatech.edu -b dc=ibb,dc=gatech,dc=edu 'uid=dr126' ldap_initialize( ldap://ldap.ibb.gatech.edu ) ldap_start_tls: Connect error (-11) 2. Modifying ldap.conf with tls_cacert /etc/ssl/cacert.pem % grep -v ^# /etc/ldap.conf | uniq base dc=ibb,dc=gatech,dc=edu uri ldap://ldap.ibb.gatech.edu ssl start_tls tls_reqcert demand tls_checkpeer yes tls_cacert /etc/ssl/cacert.pem tls_cacertdir /etc/ssl/certs Now the query: %ldapsearch -x -v -ZZ -h ldap.ibb.gatech.edu -b dc=ibb,dc=gatech,dc=edu 'uid=dr126' ldap_initialize( ldap://ldap.ibb.gatech.edu ) filter: uid=dr126 requesting: ALL # extended LDIF # # LDAPv3 # base <dc=ibb,dc=gatech,dc=edu> with scope sub # filter: uid=dr126 # requesting: ALL # # dr126, People, ibb.gatech.edu dn: uid=dr126,ou=People,dc=ibb,dc=gatech,dc=edu uid: dr126 cn: Diego Julian Remolina givenName: Diego Julian sn: Remolina mail: dr126.edu objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top loginShell: /bin/bash uidNumber: 1000 gidNumber: 500 homeDirectory: /home/dr126 gecos: Diego Julian Remolina # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1 Additional info:
*** Bug 146985 has been marked as a duplicate of this bug. ***
This bug still exists in FC5.
Fedora Core 3 is now maintained by the Fedora Legacy project for security updates only. If this problem is a security issue, please reopen and reassign to the Fedora Legacy product. If it is not a security issue and hasn't been resolved in the current FC5 updates or in the FC6 test release, reopen and change the version to match. Thank you!
As mentioned the bug is still there in FC5 updates (openldap-2.3.19-4). The file /etc/ldap.conf is not consistent with the ldap.conf manpage at least, which also mentions the option TLS_CACERT (and does not contain TLS_CACERTFILE). I would like to change version to "fc5" but I am not allowed to. Can someone else do that please? I do not want to file a new bug for an old problem.
Thanks, I'll change it. I'm actually going to move it to devel, because it seems more likely to get fixed there than to receive an actual pacakge errata.
(clearing "needinfo" bit.)
Note that /etc/ldap.conf is part of the nss_ldap subsystem, while /etc/openldap/ldap.conf is part of OpenLDAP. And they have somewhat different syntaxes, just to make life annoying. /etc/ldap.conf is documented in the nss_ldap(5) man page, which says tls_cacertdir <certificate_dir> Specifies the directory containing X.509 certificates for peer authentication. tls_cacertfile <certificate_file> Specifies the path to the X.509 certificate for peer authentica- tion. /etc/ldap.conf is normally only used by nss_ldap, which is enabled by including "ldap" on one or more of the database lines in /etc/nsswitch.conf /etc/openldap/ldap.conf is documented in the ldap.conf(5) man page, which says TLS_CACERT <filename> Specifies the file that contains certificates for all of the Certificate Authorities the client will recognize. TLS_CACERTDIR <path> Specifies the path of a directory that contains Certificate Authority certificates in separate individual files. The TLS_CACERT is always used before TLS_CACERTDIR. ldapsearch is supposed to use /etc/openldap/ldap.conf, not /etc/ldap.conf. We need to find out why your ldapsearch commands are using /etc/ldap.conf. Do you have any of the LDAP* (LDAPCONF, LDAPRC, etc) environment variables set?
(In reply to comment #7) > Note that /etc/ldap.conf is part of the nss_ldap subsystem, > while /etc/openldap/ldap.conf is part of OpenLDAP. And they have somewhat > different syntaxes, just to make life annoying. Interesting. Thank you for pointing this out. Maybe there should be a hint (where to find the correct manpage) added to /etc/ldap.conf. What do you think?
Current rawhide has reasonable comments explaining which manpages describe which ldap.conf files, so I'm closing this.