As mentioned earlier in this bug report, the TLS_CACERTDIR configuration directive stopped working when the openldap packages were linked to the GNUTLS library. (At least in the Lucid version, the ldap.conf man page specifcially mentions this issue: TLS_CACERTDIR <path> Specifies the path of a directory that contains Certifiā cate Authority certificates in separate individual files. The TLS_CACERT is always used before TLS_CACERTDIR. This parameter is ignored with GNUtls. )
However, it's worth mentioning that when the Debian/Ubuntu ca- certificates package (or more specificially, the "update-ca-certficates script) uses the user's "enabled certificate" configuration choices to populate the /etc/ssl/certs directory, it also creates a single file, /etc/ssl/certs/ca-certificates.crt, containing all of the trusted certificates that it has processed. So, if one is trying to just use the standard system-wide list of trusted certificates, changing the old config line from TLS_CACERTDIR /etc/ssl/certs into TLS_CACERT /etc/ssl/certs/ca-certificates.crt should work as desired (with GNUTLS). (It should be possible to do the same thing in /etc/ldap.conf for the libpam-ldap/libpam-nss packages -- or in /etc/nslcd.conf for the nscld package -- though it seems like you have to spell it "TLS_CACERTFILE" instead of "TLS_CACERT" there.) Nathan -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/242313 Title: TLS_CACERTDIR not supported in gnutls To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/242313/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs