Public bug reported: In my environment we have deployed an OpenLDAP server secured with SSL and a private certificate authority. When installing the libnss-ldap or libnss-ldapd packages the configurator prompts for several values which it uses to configure the respective files. Unfortunately the resulting configuration does not work.
There are several seemingly inter-related issues at play here: * As mentioned in passing in bug #70146 there is a problem where SSL does not work with tls_checkpeer enabled when using the "uri" directive instead of the "host" directive to specify LDAP servers. * To aggravate the above the LDAP configuration tool that runs when installing libnss-ldap or libnss-ldapd uses the "uri" directive instead of the "host" directive when writing a new ldap.conf or nss_ldap.conf. Since the default value of tls_checkpeer is enabled the result is a broken system. * gnutls does not appear to support the "tls_cacertdir" directive though this is not documented anywhere. Since libnss-ldap and libnss-ldapd appear to be using gnutls this causes failures when trying to use the tls_cacertdir directive. Thus there is only one working combination of directives to use a fully functional and verified SSL connection: host ldap.example.com tls_checkpeer yes tls_cacertfile /etc/ssl/certs/localca.pem ** Affects: libnss-ldap (Ubuntu) Importance: Undecided Status: New -- SSL Certificates not recognized properly with certain LDAP configuration choices https://bugs.launchpad.net/bugs/241128 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs