Bug 146985 – Wrong tls entry ldap.conf

Bug 146985 - Wrong tls entry ldap.conf

Summary:	Wrong tls entry ldap.conf

Status:	CLOSED DUPLICATE of bug 146815

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	openldap (Show other bugs)
Sub Component:
Version:	3
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Jay Fenlason
QA Contact:
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2005-02-03 07:20 EST by dijuremo
Modified:	2014-08-31 19:27 EDT (History)
CC List:	2 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2005-08-30 05:23:58 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description dijuremo 2005-02-03 07:20:35 EST

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041111 Firefox/1.0

Description of problem:
The sample ldap.conf file in /etc/ldap.conf has the entry:

#tls_cacertfile /etc/ssl/ca.cert

However, tls_cacertfile is not a valid option for ldap.conf

The correct entry should be:

tls_cacert /etc/ssl/ca.cert

This is also seen in other versions including RHEL 4 Beta 2.

Diego

Version-Release number of selected component (if applicable):
openldap-2.2.13-2

How reproducible:
Always

Steps to Reproduce:
1. Using the default tls_cacertfile /etc/ssl/ca.cert:

% grep -v ^# /etc/ldap.conf | uniq
base dc=ibb,dc=gatech,dc=edu
uri ldap://ldap.ibb.gatech.edu
ssl start_tls
tls_reqcert demand
tls_checkpeer yes
tls_cacertfile /etc/ssl/cacert.pem
tls_cacertdir /etc/ssl/certs

Now the query:

%ldapsearch -x -v -ZZ -h ldap.ibb.gatech.edu -b
dc=ibb,dc=gatech,dc=edu 'uid=dr126'
ldap_initialize( ldap://ldap.ibb.gatech.edu )
ldap_start_tls: Connect error (-11)

2. Modifying ldap.conf with tls_cacert /etc/ssl/cacert.pem

% grep -v ^# /etc/ldap.conf | uniq
base dc=ibb,dc=gatech,dc=edu
uri ldap://ldap.ibb.gatech.edu
ssl start_tls
tls_reqcert demand
tls_checkpeer yes
tls_cacert /etc/ssl/cacert.pem
tls_cacertdir /etc/ssl/certs

Now the query:

%ldapsearch -x -v -ZZ -h ldap.ibb.gatech.edu -b
dc=ibb,dc=gatech,dc=edu 'uid=dr126'
ldap_initialize( ldap://ldap.ibb.gatech.edu )
filter: uid=dr126
requesting: ALL
# extended LDIF
#
# LDAPv3
# base <dc=ibb,dc=gatech,dc=edu> with scope sub
# filter: uid=dr126
# requesting: ALL
#

# dr126, People, ibb.gatech.edu
dn: uid=dr126,ou=People,dc=ibb,dc=gatech,dc=edu
uid: dr126
cn: Diego Julian Remolina
givenName: Diego Julian
sn: Remolina
mail: dr126@ibb.gatech.edu
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 500
homeDirectory: /home/dr126
gecos: Diego Julian Remolina

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1


Additional info:

Comment 1 Walter Justen 2005-08-30 05:23:58 EDT

Thanks for the bug report. This particular bug has already been reported
into our bug tracking system, but please feel free to report any further
bugs you find.

*** This bug has been marked as a duplicate of 146815 ***

Note You need to log in before you can comment on or make changes to this bug.