quanah@zimbra.com wrote:
Full_Name: Quanah Gibson-Mount Version: 2.4.x OS: NA URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (75.111.29.239)
Both openssl and gnutls support loading CA certs from multiple directories. It would be handy to be able to do this for slapd and the ldap clients. For example, zimbra puts its CA certs in /opt/zimbra/conf/ca, but the system it is installed upon is going to have a different default destination for where its ldap clients look for CA certs. By having support for the multiple paths, the configuration can be adjusted to look in both the system location, and any number of specialized ones.
In light of ITS#5582, this should probably wait until 2.5. I.e., we probably also want to require the OpenSSL default paths to be explicitly enabled when we allow multiple paths to be configured.
E.g. we could allow "DEFAULT" to be a specially recognized token for enabling the default path.