On Wed, May 07, 2014 at 09:42:33AM +0200, Hallvard Breien Furuseth wrote: > On 05/06/2014 05:26 PM, Andrew D. Arenson wrote: > > (...) if I set > > TLS_CACERTDIR to /etc/openldap/certs, which has the cert8.db file, but > > as far as I can tell has no actuall certificates in that database, ldap > > search tells me, surprisingly, that the server's certificate _IS_ > > verified. > > > > How is openldap verifying my server's certificate? > > Maybe this is a variant of ITS#5582: Setting TLS_CACERT to any > certificate.pem file also tells OpenSSL to check the system's > standard installed certs. OpenLDAP should have a separate > option for that, or the opposite - an option not to do that. Thanks. I didn't find an option for turning on/off the use of a system's standard installed certs. Are you saying that you think something like that _does_ exist, or that you simply think it should?