As mentioned earlier in this bug report, the TLS_CACERTDIR configuration
directive stopped working when the openldap packages were linked to the GNUTLS
library. (At least in the Lucid version, the ldap.conf man page specifcially
mentions this issue:
TLS_CACERTDIR <path>
Specifies the path of a directory that contains Certifiā
cate Authority certificates in separate individual files.
The TLS_CACERT is always used before TLS_CACERTDIR. This
parameter is ignored with GNUtls.
)
However, it's worth mentioning that when the Debian/Ubuntu ca-
certificates package (or more specificially, the "update-ca-certficates
script) uses the user's "enabled certificate" configuration choices to
populate the /etc/ssl/certs directory, it also creates a single file,
/etc/ssl/certs/ca-certificates.crt, containing all of the trusted
certificates that it has processed.
So, if one is trying to just use the standard system-wide list of trusted
certificates, changing the old config line from
TLS_CACERTDIR /etc/ssl/certs
into
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
should work as desired (with GNUTLS).
(It should be possible to do the same thing in /etc/ldap.conf for the
libpam-ldap/libpam-nss packages -- or in /etc/nslcd.conf for the nscld
package -- though it seems like you have to spell it "TLS_CACERTFILE"
instead of "TLS_CACERT" there.)
Nathan
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/242313
Title:
TLS_CACERTDIR not supported in gnutls
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/242313/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
