>>
>> No problem. We've just merged the fix and backported it. I don't know when it
>> will ship in RHEL/CentOS, but I'm sure it will be soon in an upcoming update.
> Well i usually do not use rpms - we compile from git sources, i used them only
> to make a demo of the problem.
>
> Thanks for the commit, i have tested the fix. It resolves a half of the problem
> - indeed the TLS_REQCERT is now taken into account from
> /etc/openldap/ldap.conf. But the certificate bundle part (TLS_CACERT parameter
> or system bundle in its ansence) is still not taken into account. TLS_CACERT
> works correctly in dsconf 1.4.2 (and ldapsearch).
I think i have found the part of the code that causes ignoring TLS_CACERT: it's the file __init__.py, lines 997-999:
997 if certdir is None and self.isLocal:
998 certdir = self.get_cert_dir()
999 self.log.debug("Using dirsrv ca certificate %s", certdir)
if i comment these lines dsconf starts to take into account TLS_CACERT from /etc/openldap/ldap.conf as it should do. Looks like self.isLocal shoud not be true while it is, as a result a false certdir is taken:
DEBUG: Using dirsrv ca certificate /Local/dirsrv/etc/dirsrv/slapd-{instance_name}
DEBUG: Using external ca certificate /Local/dirsrv/etc/dirsrv/slapd-{instance_name}
DEBUG: Using external ca certificate /Local/dirsrv/etc/dirsrv/slapd-{instance_name}
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
No comments:
Post a Comment