Created attachment 484213 [details]
Description of problem:
When setting TLSCACertificatePath to NSS DB, SSL/TLS does not work.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. install beakerlib
2. download attached test
2. bash runtest.sh
:: [ PASS ] :: No SSL/TLS
:: [ FAIL ] :: TLS (Expected 0, got 1)
:: [ FAIL ] :: SSL (Expected 0, got 255)
As you can see from attached ldap.conf, TLS_CACERTDIR works fine with NSS DB, but TLSCACertificatePath does not (see slapd.conf). I am not sure that it is allowed to set this directive to NSS DB since slapd.conf(5) does not contain any details about using NSS DB. But according to the Admin Guide , it should work.
Created attachment 519629 [details]
proposed fix for manual pages
Attaching proposed patch. All changes are pulled from upstream.
The changes target only ldap.conf(5) and slapd-config(5), not obsoleted slapd.conf(5).
Fixed in openldap-2.4.23-18.el6
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
- slapd-config(5) and ldap.conf(5) manual pages contain incorrect information about TLS settings
- upstream patch applied, which updates TLS documentation relevant for Mozilla NSS crypto library
- slapd-config(5) and ldap.conf(5) contain more accurate information about TLS settings
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.