[email protected] wrote: > Full_Name: Jan Vcelak > Version: master > OS: Linux > URL: > ftp://ftp.openldap.org/incoming/jvcelak-20120518-update-nss-allow-ca-certdb-with-pem-ca-bundle.patch > Submission from: (NULL) (209.132.186.34) > > > With Mozilla NSS crypto backend: > > Prior to this patch, if TLS_CACERTDIR was set to Mozilla NSS certificate > database and TLS_CACERT was set to a PEM bundle file with CA > certificates, the PEM file content was not loaded. > > With this patch and the same settings, OpenLDAP can verify certificates > which are signed by CAs stored both in certdb and PEM bundle file.
Thanks for the patch, added to master. > > This problem was found with FreeIPA which is setting CA PEM bundle using > ldap_set_option(&ld, LDAP_OPT_X_TLS_CACERTFILE, ...), while TLS_CACERTDIR with > certdb is set in system ldap.conf file. > > > The attached file is derived from OpenLDAP Software. All of the modifications > to > OpenLDAP Software represented in the following patch(es) were developed by Red > Hat. Red Hat has not assigned rights and/or interest in this work to any > party. > I, Jan Vcelak am authorized by Red Hat, my employer, to release this work > under > the following terms. > > Red Hat hereby place the following modifications to OpenLDAP Software (and > only > these modifications) into the public domain. Hence, these modifications may be > freely used and/or redistributed for any purpose with or without attribution > and/or other notice. > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
