>>
>> No problem. We've just merged the fix and backported it. I don't know when it
>> will ship in RHEL/CentOS, but I'm sure it will be soon in an upcoming update.
> Well i usually do not use rpms - we compile from git sources, i used them only
> to make a demo of the problem.
>
> Thanks for the commit, i have tested the fix. It resolves a half of the
> problem
> - indeed the TLS_REQCERT is now taken into account from
> /etc/openldap/ldap.conf. But the certificate bundle part (TLS_CACERT parameter
> or system bundle in its ansence) is still not taken into account. TLS_CACERT
> works correctly in dsconf 1.4.2 (and ldapsearch).
I think i have found the part of the code that causes ignoring TLS_CACERT: it's
the file __init__.py, lines 997-999:
997 if certdir is None and self.isLocal:
998 certdir = self.get_cert_dir()
999 self.log.debug("Using dirsrv ca certificate %s", certdir)
if i comment these lines dsconf starts to take into account TLS_CACERT from
/etc/openldap/ldap.conf as it should do. Looks like self.isLocal shoud not be
true while it is, as a result a false certdir is taken:
DEBUG: Using dirsrv ca certificate
/Local/dirsrv/etc/dirsrv/slapd-{instance_name}
DEBUG: Using external ca certificate
/Local/dirsrv/etc/dirsrv/slapd-{instance_name}
DEBUG: Using external ca certificate
/Local/dirsrv/etc/dirsrv/slapd-{instance_name}
_______________________________________________
389-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
