Bug#225597: marked as done (libldap2: /etc/ldap/ldap.conf should reference /etc/ssl/certs/ca-certificates.crt)

[Debian Bug Tracking System]

Your message dated Tue, 13 Jul 2010 21:32:10 +0200
with message-id <4c3cbf3a.7080...@cacholong.nl>
and subject line Re: libldap2: /etc/ldap/ldap.conf should reference 
/etc/ssl/certs/ca-certificates.crt
has caused the Debian Bug report #225597,
regarding libldap2: /etc/ldap/ldap.conf should reference 
/etc/ssl/certs/ca-certificates.crt
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
225597: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=225597
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libldap2
Version: 2.1.23-1
Severity: normal

Debian includes a package called 'ca-certificates' which contains a
number of well-known CAs' certificates. Even if it is installed,
OpenLDAP doesn't use it unless the following line is added to
ldap.conf:
                                                                                
                                                                                
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
                                                                                
                                                                                
It took me a good deal of googling to determine that I had to
explictly tell OpenLDAP where to find the CA certs. It might not be a
bad idea to add that line to /etc/ldap/ldap.conf.
                                                                                
                                                                                
I think it's safe to add the line even if ca-certificates isn't
installed -- when I moved /etc/ssl/certs/ca-certificates.crt out of
the way and tried running ldapsearch, it worked fine for a non-ssl
search, and failed with a ssl search (which is what I expected).
                                                                                
If it is deemed that adding a reference to a non-existant file is a
bad idea, I would suggest that the line should be added, annotated,
and commented out. Like this:

### Uncomment the following line to tell OpenLDAP where to find CA
### certificates. Be sure to install the package 'ca-certificates' prior
### to uncommenting this line.

# TLS_CACERT /etc/ssl/certs/ca-certificates.crt

(I'd suggest that ca-certificates's postinst script could add the
line, but that sounds like it would be too complicated -- unless the
package does that for other packages' conf files.)

-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux bigbox 2.4.20-3-686 #1 Sun Jul 27 18:13:41 EST 2003 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages libldap2 depends on:
ii  libc6                       2.3.2.ds1-10 GNU C Library: Shared libraries an
ii  libgnutls7                  0.8.12-3.1   GNU TLS library - runtime library
ii  libsasl2                    2.1.15-6     Authentication abstraction library

-- no debconf information

--- End Message ---

--- Begin Message ---

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Closing this bug, reasons outlined by Torsten Landschoff above.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkw8vzoACgkQ2n1ROIkXqbA9rwCfbVVeXVp72CO/LvF3020Uv6Qj
kwoAn2NabJy/1jvKsRl0xMpWjsE+H7jV
=Krrd
-----END PGP SIGNATURE-----

--- End Message ---