[EMAIL PROTECTED] via RT wrote:
Hi,
initial report at:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=185080
Imho it's more a OpenSSL than a OpenLDAP client problem.
The use of TLS_CACERTDIR / TLSCACertificatePath is discouraged in all of
the OpenLDAP documentation.
See slapd.conf(5), ldap.conf(5) man pages, and the OpenLDAP Admin Guide
section 12.2: http://www.openldap.org/doc/admin23/tls.html
Regards,
Peter
Description of problem:
During tracking down, why a LDAP enabled postfix cannot lookup via TLS
enabled
LDAP client I found that openssl function SSL_add_dir_cert_subjects_to_stack
is
very optimistic relating to the files found in a specified directory.
Version-Release number of selected component (if applicable):
openssl-0.9.7a-43.4
also openssl-0.9.7.i (latest 0.9.7 release)
also openssl-0.9.8.a (latest 0.9.8 release)
in conjunction with
openldap-2.2.13-4
also openldap-2.2.30 (latest 2.2 release)
also openldap-2.3.20 (latest 2.3 release)
How reproducible:
Always
Steps to Reproduce:
1. Create a directory for local PKI storage, e.g.
/etc/pki
2. Store local CA, local server certificates and local keys into this
directory
3. Set proper permissions to keys, e.g.
chmod o-rwx *.key.pem
# ll /etc/pki/
total 120
lrwxrwxrwx 1 root root 23 Sep 14 15:42 592fcc04.0 -> ca.crt
-r--r--r-- 1 root root 1834 Sep 14 15:39 ca.crt
-r--r--r-- 1 root root 2529 Sep 14 15:39 AE-CA-Class4-2005-A.crt
-r-------- 1 root root 5875 Sep 14 15:45 ca+cert+key.pem
-r--r--r-- 1 root root 4196 Sep 14 16:07 ca+cert.pem
-r--r--r-- 1 root root 2362 Sep 14 15:37 cert.crt
-r--r----- 1 root root 4041 Sep 14 15:50 cert+key.pem
-r--r----- 1 root ldap 1679 Sep 14 15:37 key.pem (note: group=ldap for LDAP
server, which reads key file for server TLS after changing the user to
"ldap")
4. Configure /etc/openldap/slapd.conf for TLS like
TLSCACertificateFile /etc/pki/ca.crt
TLSCACertificatePath /etc/pki
TLSCertificateFile /etc/pki/crt.crt
TLSCertificateKeyFile /etc/pki/key.pem
5. Configure /etc/openldap/ldap.conf related
URI ldaps://ldapserver/
#URI ldap://ldapserver/
BASE dc=example,dc=com
TLS_CACERTDIR /etc/pki # <- important!
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]