--On Wednesday, September 30, 2020 11:47 PM +0000 paul.jc@yahoo.com wrote:
One more update: I edited /etc/openldap/ldap.conf to test TLS_CACERT /etc/openldap/certs/ca.crt and it works with that config. I also re-read the documentation and clarified for myself that if either of these (TLS_CACERT or TLS_CACERTDIR) are NOT set in ldap.conf, that is when the system certs are used, so I believe I definitely want this set in ldap.conf. I suppose the question now is why didn't this work for me with TLS_CACERTDIR but does with TLS_CACERT?
With OpenSSL, the CA Cert directory needs to contain relevant hashes for each CA cert if you want to use the TLS_CACERTDIR setting. I don't know whether or not your CA directory contains those.
I would note that (at least for RHEL7), RedHat kept a moznss "bridge" patch so that the certificate code would continue to work as it did with moznss. https://git.centos.org/rpms/openldap/blob/c7/f/SOURCES/openldap-tlsmc.patch
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com