Project

General

Profile

Actions

Bug #8044

closed

LDAP authentication fails with a globally trusted root CA

Added by Jim Pingle about 7 years ago. Updated about 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
User Manager / Privileges
Target version:
Start date:
11/02/2017
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

The OpenLDAP client does not automatically look for and trust the global root CA list we have from ca_root_nss, linked at /etc/ssl/cert.pem

Furthermore it does not seem to want to read that list when passed its location as a CA directory. The certificates for LDAP are kept in /var/run which is limited in space, so making a copy of the global CA list there is not viable due to its limited space, and it can't be symlinked there because /var/run is a RAM disk and the original file is on another filesystem.

What appears to work is offering a "Global Root CA List" option as a CA choice for LDAP servers, and then setting LDAPTLS_CACERT=/etc/ssl/cert.pem. This also makes more sense because a server configured this way should not need to have its CA imported manually or selected specifically, since it should be trusted already.

This lets LDAP auth against a server using a trusted certificate from common providers such as Let's Encrypt.

To me, I have a patch.

Actions

Also available in: Atom PDF