Bug#266865: ldap.conf does not support the
TLS_CACERT directive, but .ldaprc does



Package: ldap-utils
Version: 2.1.30-2


Even if the man page of ldap.conf precise that TLS_CACERT in not a user-only directive, it seems that this option is not supported
when precised in ldap.conf.

I've done the folowing experience:

%------------------------------------------------
[15:12:12]root@smith root# cat /etc/ldap/ldap.conf
BASE dc=grid5000,dc=net
URI ldaps://neo

TLS_CERT /etc/ldap/CA-cert.pem
TLS_REQCERT demand

[15:12:12]root@smith root# cat ~/.ldaprc
cat: /root/.ldaprc: No such file or directory

(By default, I'll use TLS):
[15:13:07]root@smith root# ldapsearch -x
ldap_bind: Can't contact LDAP server (81)
additional info: Error in the certificate.
%--------------------------------------------------

Now, if I create a $HOME/.ldaprc file containing
TLS_CERT /etc/ldap/CA-cert.pem
everything goes well:

[15:16:06]root@smith root# cat ~/.ldaprc
TLS_CACERT /etc/ldap/CA-cert.pem

(by default, I'll use TLS):
[15:16:13]root@smith root# ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1


This is always reproductible.
I suggest to correct this problem or to precise in the man page that this is a user-only option.

Best regards


--
Sébastien VARRETTE |\/\/\/\/\/|
-------------------------------- | |
Ph.D student in Computer Science | __ __|
ID-IMAG Laboratory - Univ. of Luxembourg | / \/ \
(Grenoble, FRANCE) (LUXEMBOURG) | (o )o )
---------------------------------- /C \__/ --.
Mail : Sebastien.Varrette@xxxxxxx \_ , -'
Web : http://www-id.imag.fr/~svarrett/ | '\_______)
Phone : +33 (O)6 74 57 90 05 | _)
---------------------------- | |
Computing Security Research /`-----'\




Privacy