+++ This bug was initially created as a clone of Bug #713525 +++ Description of problem: With latest openldap (RHEL6.1) ldapsearch or similar tools fails to contact ldap server if there are no certificates in /etc/openldap/cacerts directory. With the option "LDAPTLS_REQCERT never" the same command works well in the previous version(s) of openldap (openldap-2.4.19-15.el6_0.2 or older) Version-Release number of selected component:openldap-2.4.23-15.el6.x86_64 How reproducible: Always. Steps to Reproduce: 1. Upgrade openldap to openldap-2.4.23-15.el6 2. make sure /etc/openldap/cacerts directory is empty 3. ldapsearch as shown below. # LDAPTLS_REQCERT=never ldapsearch -x -H ldaps://hostname:port -s base -b "" Actual results: ldapsearch fails with the following error. ldap_connect_to_host: Trying 10.65.210.164:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: did not find any valid CA certificates in /etc/openldap/cacerts TLS: could not initialize moznss using security dir /etc/openldap/cacerts prefix - error -8174. TLS: could perform TLS system initialization. TLS: error: could not initialize moznss security context - error -5939:No more entries in the directory TLS: can't create ssl handle. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Expected results: No errors, ldapsearch returns requested data. Additional info: Discussed with "Richard Megginson" on irc, as rich suggested I tried removing the option TLS_CACERTDIR from /etc/openldap/ldap.conf file and fixed the issue. --- Additional comment from rmeggins on 2011-06-16 19:04:39 CEST --- *** Bug 713371 has been marked as a duplicate of this bug. *** --- Additional comment from rmeggins on 2011-06-21 02:39:01 CEST --- Patch submitted upstream: http://www.openldap.org/its/index.cgi?findid=6975 --- Additional comment from jvcelak on 2011-06-21 15:00:48 CEST --- Thank you Rich. I have quickly tested the patch and it seems that the behavior is the same as with OpenSSL now.
(This issue is resolved in Rawhide with openldap-2.4.25-1.fc16.)
Fixed in openldap-2.4.24-3.fc15
openldap-2.4.24-3.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/openldap-2.4.24-3.fc15
Package openldap-2.4.24-3.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing openldap-2.4.24-3.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/openldap-2.4.24-3.fc15 then log in and leave karma (feedback).
openldap-2.4.24-3.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
Could you please submit an update for Fedora 14 as well? It seems that backport of F15 (with just removing of tmpfile.d stuff) should be OK...
(In reply to comment #6) > Could you please submit an update for Fedora 14 as well? This is not a critical issue and won't be updated in F14. The bug can be workaround by removing TLS_CACERTDIR from ldap.conf (~/.ldaprc).