Control: tag -1 moreinfo
Hello,
On Tue, Jan 12, 2021 at 07:04:41PM +0100, Andreas Metzler wrote:
On 2021-01-12 Andras Korn <[email protected]> wrote:
I think I shouldn't need to specify `ldap_tls_cacert =
/etc/ssl/certs/ca-certificates.crt` when using a Debian package, since
this is the default location of trusted CA certificates in Debian.
Configuration should only be necessary for non-default setups.
The libldap-common package ships a default /etc/ldap/ldap.conf which
contains exactly this default TLS_CACERT value. It should be picked up
automatically by programs using the library. If sssd does something to
override that, I don't think libldap can be blamed.
GnuTLS offers a sane compile default for the trust store (See
gnutls_x509_trust_list_add_system_trust()), which can be used by the
application. - I have therefore retitled the bug.
From the upstream bug report:
2021-01-12 17:52:00.657730500 [be[ldap]] [sss_ldap_debug] (0x4000): libldap:
TLS: warning: cacertdir not implemented for gnutls
GnuTLS has supported using a directory instead of a file since version
3.3.6 (released 2014-07-23), so it looks like a missing thing in libldap.
There are two things here:
1. libldap 2.4.x indeed does not support TLS_CACERTDIR when linked with
GnuTLS. This is fixed in the 2.5 branch. (ITS#8155)
2. It is intentional by upstream that *no* CA certificates are used when
there is no explicit TLS_CACERT or TLS_CACERTDIR configured. There's
some discussion about this in ITS#5582. (Bearing in mind that in Debian
we *do* configure a default TLS_CACERT in ldap.conf).
<https://bugs.openldap.org/show_bug.cgi?id=5582>
Is there still something you think needs to be changed or fixed in the
libldap package?
thanks,
Ryan