[Bug 242313] Re: TLS_CACERTDIR not supported in gnutls

Mon Feb 13 21:28:06 UTC 2012

As mentioned earlier in this bug report, the TLS_CACERTDIR configuration directive stopped working when the openldap packages were linked to the GNUTLS library.  (At least in the Lucid version, the ldap.conf man page specifcially mentions this issue:
       TLS_CACERTDIR <path>
              Specifies  the path of a directory that contains Certifi‐
              cate Authority certificates in separate individual files.
              The TLS_CACERT is always used before TLS_CACERTDIR.  This
              parameter is ignored with GNUtls.
)

However, it's worth mentioning that when the Debian/Ubuntu ca-
certificates package (or more specificially, the "update-ca-certficates
script) uses the user's "enabled certificate" configuration choices to
populate the /etc/ssl/certs directory, it also creates a single file,
/etc/ssl/certs/ca-certificates.crt, containing all of the trusted
certificates that it has processed.

So, if one is trying to just use the standard system-wide list of trusted certificates, changing the old config line from
  TLS_CACERTDIR /etc/ssl/certs
into 
  TLS_CACERT /etc/ssl/certs/ca-certificates.crt
should work as desired (with GNUTLS).

(It should be possible to do the same thing in /etc/ldap.conf for the
libpam-ldap/libpam-nss packages -- or in /etc/nslcd.conf for the nscld
package -- though it seems like you have to spell it "TLS_CACERTFILE"
instead of "TLS_CACERT" there.)

Nathan

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/242313

Title:
  TLS_CACERTDIR not supported in gnutls

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/242313/+subscriptions