On Tue, Jan 12, 2021 at 10:47:22AM -0800, Ryan Tandy wrote: > > On 2021-01-12 Andras Korn <korn-debb...@elan.rulez.org> wrote: > > > I think I shouldn't need to specify `ldap_tls_cacert = > > > /etc/ssl/certs/ca-certificates.crt` when using a Debian package, since > > > this is the default location of trusted CA certificates in Debian. > > > Configuration should only be necessary for non-default setups. > > The libldap-common package ships a default /etc/ldap/ldap.conf which > contains exactly this default TLS_CACERT value. It should be picked up > automatically by programs using the library. If sssd does something to > override that, I don't think libldap can be blamed.
OK, looking further, part of the problem is that I didn't have libldap-common installed, thus no /etc/ldap/ldap.conf. Since this (and the accompanying manpage) is all that libldap-common contains: what's the rationale for having these in a separate package? The libldap package only Recommends libldap-common (which is why I didn't have it); however, it is libldap-common that enables the sensible defaults. Why shouldn't libldap come with the sensible defaults itself? AndrĂ¡s -- For Sale: parachute, used once, never opened, small stain.