Bug 146985 - Wrong tls entry ldap.conf
Summary: Wrong tls entry ldap.conf
Keywords:
Status: CLOSED DUPLICATE of bug 146815
Alias: None
Product: Fedora
Classification: Fedora
Component: openldap
Version: 3
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jay Fenlason
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-02-03 12:20 UTC by dijuremo
Modified: 2014-08-31 23:27 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-08-30 09:23:58 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description dijuremo 2005-02-03 12:20:35 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041111 Firefox/1.0

Description of problem:
The sample ldap.conf file in /etc/ldap.conf has the entry:

#tls_cacertfile /etc/ssl/ca.cert

However, tls_cacertfile is not a valid option for ldap.conf

The correct entry should be:

tls_cacert /etc/ssl/ca.cert

This is also seen in other versions including RHEL 4 Beta 2.

Diego

Version-Release number of selected component (if applicable):
openldap-2.2.13-2

How reproducible:
Always

Steps to Reproduce:
1. Using the default tls_cacertfile /etc/ssl/ca.cert:

% grep -v ^# /etc/ldap.conf | uniq
base dc=ibb,dc=gatech,dc=edu
uri ldap://ldap.ibb.gatech.edu
ssl start_tls
tls_reqcert demand
tls_checkpeer yes
tls_cacertfile /etc/ssl/cacert.pem
tls_cacertdir /etc/ssl/certs

Now the query:

%ldapsearch -x -v -ZZ -h ldap.ibb.gatech.edu -b
dc=ibb,dc=gatech,dc=edu 'uid=dr126'
ldap_initialize( ldap://ldap.ibb.gatech.edu )
ldap_start_tls: Connect error (-11)

2. Modifying ldap.conf with tls_cacert /etc/ssl/cacert.pem

% grep -v ^# /etc/ldap.conf | uniq
base dc=ibb,dc=gatech,dc=edu
uri ldap://ldap.ibb.gatech.edu
ssl start_tls
tls_reqcert demand
tls_checkpeer yes
tls_cacert /etc/ssl/cacert.pem
tls_cacertdir /etc/ssl/certs

Now the query:

%ldapsearch -x -v -ZZ -h ldap.ibb.gatech.edu -b
dc=ibb,dc=gatech,dc=edu 'uid=dr126'
ldap_initialize( ldap://ldap.ibb.gatech.edu )
filter: uid=dr126
requesting: ALL
# extended LDIF
#
# LDAPv3
# base <dc=ibb,dc=gatech,dc=edu> with scope sub
# filter: uid=dr126
# requesting: ALL
#

# dr126, People, ibb.gatech.edu
dn: uid=dr126,ou=People,dc=ibb,dc=gatech,dc=edu
uid: dr126
cn: Diego Julian Remolina
givenName: Diego Julian
sn: Remolina
mail: dr126.edu
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 500
homeDirectory: /home/dr126
gecos: Diego Julian Remolina

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1


Additional info:
Comment 1 Walter Justen 2005-08-30 09:23:58 UTC 
Thanks for the bug report. This particular bug has already been reported
into our bug tracking system, but please feel free to report any further
bugs you find.

*** This bug has been marked as a duplicate of 146815 ***
Note You need to log in before you can comment on or make changes to this bug.