sca+openldap@andreasschulze.de wrote:

Full_Name: Andreas Schulze Version: RE24 testing call (2.4.45) OS: Linux URL: ftp://ftp.openldap.org/incoming/andreas-schulze-20170211.patch Submission from: (NULL) (2001:a60:f0b4:e502:80b6:610b:8fc2:abfe)

as discussed on the technical ML it's uncommon to put chain certificates in TLSCACertificateFile or TLSCACertificatePath.

It is explicitly documented. http://www.openldap.org/doc/admin24/tls.html Section 16.2.1.1.

You may argue that it is uncommon for people to read the docs but that doesn't constitute a software bug.

In case of a intermediate CA like "Let's Encrypt Authority X3" it may be wrong becaus the user is forced to /TRUST/ that intermediate for a unrelated purpose.

That doesn't follow. The file used by slapd is only used to authenticate LDAP clients.

There is no bug here, this ITS is invalid.