I already have problems with /etc/ssl/certs directory, when I use CACertDirs with a lot of certificates in the directory, it was awfully long to get the result, so I switch to CaCertFile instead ... And the problem is only with pam_ldap and not with ldapsearch (or the contrary, I don't remember), and the pam_ldap was linked against gnutls and ldapsearch linked against openssl ...
We experienced the same problem. The culprit turned out to be libldap2 (opposed to libldap-2.3-0), which has GNUTLS support patched in by Debian. To the contrary, ldapsearch is linked against libldap-2.3-0, which uses OpenSSL.
More precisely, the problem is get_ca_list() in libraries/libldap/tls.c. If you profile a test program like
#include <stdlib.h> #include <dirent.h> #include <stdio.h> #include <sys/param.h> #include <sys/stat.h> #include <gnutls/gnutls.h> gnutls_certificate_credentials_t ca_list;
int main(int argc, char *argv[]) { DIR *d; struct dirent *dent; char ca_file[MAXPATHLEN]; struct stat s; char *dir;
if (argc != 2) exit(1); dir = argv[1]; d = opendir(dir); if (d == NULL) exit(1); gnutls_global_init(); gnutls_certificate_allocate_credentials(&ca_list); while ((dent = readdir(d)) != NULL) { snprintf(ca_file, sizeof ca_file, "%s/%s", dir, dent->d_name); stat(ca_file, &s); if (!S_ISREG(s.st_mode)) continue; gnutls_certificate_set_x509_trust_file(ca_list, ca_file, GNUTLS_X509_FMT_PEM); } closedir(d); }
you see unreasonable amounts of time being spent in memory and string manipulation routines.
Not being an TLS/SSL expert, I'm wondering why you need to add all those certificates in the first place. I thought the whole point of all those <subject hash>.<serial> links in /etc/openssl/certs (or whatever) was that a client could find a CA certificate simply by hashing the subject.
Another pitfall is that libnss-ldap ignores the tls_cacert{file,dir} directives in libnss-ldap.conf unless "ssl on" is also given. So, if you set the URL to ldaps://..., you end up in OpenLDAP using SSL, but with the parameters given in ldap.conf, not those in libnss-ldap.conf. I've reported this to PADL Soft.