+++ This bug was initially created as a clone of Bug #742023 +++ Description of problem: openldap clients e.g. ldapsearch and software linked with openldap libraries e.g. Apache mod_authnz_ldap fail to connect to servers when using TLS Version-Release number of selected component (if applicable): openldap-2.4.23-15.el6_1.3.x86_64 How reproducible: Always Steps to Reproduce: 1. ldapsearch -x -H ldaps://ldap.example.com -b dc=example -Z "cn=joe" cn Actual results: ldap_start_tls: Connect error additional info: TLS error -8172 Expected results: cn: User, Joe Additional info: The config file /etc/openldap/ldap.conf packaged with openldap does not contain an entry for the certificate bundle e.g. ca-certificates-2010.63-3.el6_1.5.noarch shipped with RHEL6 Adding an entry TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt fixes the problem, at least where the server certicate authority is included in the bundle. In previous versions of RHEL e.g. RHEL5, openldap did not seem to check certificate chains so that a default install worked. (The Apache module mod_authnz_ldap returns no details in /var/log/httpd/* which makes diagnosis difficult)
Proposed solution: (1) Use Mozilla NSS tools (certutil, modutil) to generate server certificate during installation instead of using OpenSSL tools. The database location will be /etc/openldap/certdb. (2) Load libnssckbi.so module into the database. This makes builtin root certificates available as requested. (3) Make default slapd configuration to use the certificate from this location. (4) Make default ldap.conf to use the certificates from that location.
Created attachment 560689 [details] script for generating certdb and server certificate The script will be placed in /usr/libexec/slapd as the other scripts, will be called from the specfile.
Created attachment 560691 [details] simple tests for certdb generated by the proposed script decompress, place the ./setup-certificates.sh into the same directory, run the tests
Some changes will be necessary. The script has to be split, because we need the client libraries to work with builtin certificates without -servers package.
Resolved in openldap-2.4.29-1.fc17
openldap-2.4.29-1.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/openldap-2.4.29-1.fc17
Package openldap-2.4.29-1.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing openldap-2.4.29-1.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-1755/openldap-2.4.29-1.fc17 then log in and leave karma (feedback).
openldap-2.4.29-3.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/openldap-2.4.29-3.fc17
Package openldap-2.4.29-3.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing openldap-2.4.29-3.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-2113/openldap-2.4.29-3.fc17 then log in and leave karma (feedback).
openldap-2.4.29-3.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.