146985 – Wrong tls entry ldap.conf

Bug 146985 - Wrong tls entry ldap.conf

Summary: Wrong tls entry ldap.conf

Keywords:
Status:	CLOSED DUPLICATE of bug 146815
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	openldap
Sub Component:
Version:	3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Jay Fenlason
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-02-03 12:20 UTC by dijuremo
Modified:	2014-08-31 23:27 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2005-08-30 09:23:58 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description dijuremo 2005-02-03 12:20:35 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041111 Firefox/1.0

Description of problem:
The sample ldap.conf file in /etc/ldap.conf has the entry:

#tls_cacertfile /etc/ssl/ca.cert

However, tls_cacertfile is not a valid option for ldap.conf

The correct entry should be:

tls_cacert /etc/ssl/ca.cert

This is also seen in other versions including RHEL 4 Beta 2.

Diego

Version-Release number of selected component (if applicable):
openldap-2.2.13-2

How reproducible:
Always

Steps to Reproduce:
1. Using the default tls_cacertfile /etc/ssl/ca.cert:

% grep -v ^# /etc/ldap.conf | uniq
base dc=ibb,dc=gatech,dc=edu
uri ldap://ldap.ibb.gatech.edu
ssl start_tls
tls_reqcert demand
tls_checkpeer yes
tls_cacertfile /etc/ssl/cacert.pem
tls_cacertdir /etc/ssl/certs

Now the query:

%ldapsearch -x -v -ZZ -h ldap.ibb.gatech.edu -b
dc=ibb,dc=gatech,dc=edu 'uid=dr126'
ldap_initialize( ldap://ldap.ibb.gatech.edu )
ldap_start_tls: Connect error (-11)

2. Modifying ldap.conf with tls_cacert /etc/ssl/cacert.pem

% grep -v ^# /etc/ldap.conf | uniq
base dc=ibb,dc=gatech,dc=edu
uri ldap://ldap.ibb.gatech.edu
ssl start_tls
tls_reqcert demand
tls_checkpeer yes
tls_cacert /etc/ssl/cacert.pem
tls_cacertdir /etc/ssl/certs

Now the query:

%ldapsearch -x -v -ZZ -h ldap.ibb.gatech.edu -b
dc=ibb,dc=gatech,dc=edu 'uid=dr126'
ldap_initialize( ldap://ldap.ibb.gatech.edu )
filter: uid=dr126
requesting: ALL
# extended LDIF
#
# LDAPv3
# base <dc=ibb,dc=gatech,dc=edu> with scope sub
# filter: uid=dr126
# requesting: ALL
#

# dr126, People, ibb.gatech.edu
dn: uid=dr126,ou=People,dc=ibb,dc=gatech,dc=edu
uid: dr126
cn: Diego Julian Remolina
givenName: Diego Julian
sn: Remolina
mail: dr126.edu
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 500
homeDirectory: /home/dr126
gecos: Diego Julian Remolina

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1


Additional info:

Comment 1 Walter Justen 2005-08-30 09:23:58 UTC

Thanks for the bug report. This particular bug has already been reported
into our bug tracking system, but please feel free to report any further
bugs you find.

*** This bug has been marked as a duplicate of 146815 ***

Note You need to log in before you can comment on or make changes to this bug.