Bug #8044
closed
LDAP authentication fails with a globally trusted root CA
100%
Description
The OpenLDAP client does not automatically look for and trust the global root CA list we have from ca_root_nss, linked at /etc/ssl/cert.pem
Furthermore it does not seem to want to read that list when passed its location as a CA directory. The certificates for LDAP are kept in /var/run which is limited in space, so making a copy of the global CA list there is not viable due to its limited space, and it can't be symlinked there because /var/run is a RAM disk and the original file is on another filesystem.
What appears to work is offering a "Global Root CA List" option as a CA choice for LDAP servers, and then setting LDAPTLS_CACERT=/etc/ssl/cert.pem. This also makes more sense because a server configured this way should not need to have its CA imported manually or selected specifically, since it should be trusted already.
This lets LDAP auth against a server using a trusted certificate from common providers such as Let's Encrypt.
To me, I have a patch.
Updated by Jim Pingle about 7 years ago
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
Applied in changeset 87c67243c2cab5fd3e51d17df96ed5ac04bff799.
Updated by Jim Pingle about 7 years ago
- Status changed from Feedback to Resolved