fix: connection failure if TLS_CACERTDIR doesn't exist but TLS_REQCERT is set to 'never'

Resolves: #716854

openldap-nss-cacertdir-soft-error.patch

@@ -0,0 +1,68 @@
+Connection fails if TLS_CACERTDIR doesn't exist but TLS_REQCERT  is set to 'never'
+
+Resolves: #716854
+Author: Rich Megginson <rmeggins@redhat.com>
+Upstream: ITS #6975, git 7e528ae
+
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+index 911885d..7be703b 100644
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -1320,7 +1320,7 @@ static int
+ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir )
+ {
+ 	PRBool isca = PR_TRUE;
+-	PRStatus status = PR_FAILURE;
++	PRStatus status = PR_SUCCESS;
+ 	PRErrorCode errcode = PR_SUCCESS;
+ 
+ 	if ( !cacertfile && !cacertdir ) {
+@@ -1336,14 +1336,24 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
+ 				   "TLS: %s is not a valid CA certificate file - error %d:%s.\n",
+ 				   cacertfile, errcode,
+ 				   PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
++			/* failure with cacertfile is a hard failure even if cacertdir is
++			   also specified and contains valid CA cert files */
++			status = PR_FAILURE;
+ 		} else {
+ 			Debug( LDAP_DEBUG_TRACE,
+ 				   "TLS: loaded CA certificate file %s.\n",
+ 				   cacertfile, 0, 0 );
+-			status = PR_SUCCESS; /* have at least one good CA - we can proceed */
+ 		}
+ 	}
+ 
++	/* if cacertfile above failed, we will return failure, even
++	   if there is a valid CA cert in cacertdir - but we still
++	   process cacertdir in case the user has enabled trace level
++	   debugging so they can see the processing for cacertdir too */
++	/* any cacertdir failures are "soft" failures - if the user specifies
++	   no cert checking, then we allow the tls/ssl to continue, no matter
++	   what was specified for cacertdir, or the contents of the directory
++	   - this is different behavior than that of cacertfile */
+ 	if ( cacertdir ) {
+ 		PRFileInfo fi;
+ 		PRDir *dir;
+@@ -1397,7 +1407,6 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
+ 					Debug( LDAP_DEBUG_TRACE,
+ 						   "TLS: loaded CA certificate file %s from CA certificate directory %s.\n",
+ 						   fullpath, cacertdir, 0 );
+-					status = PR_SUCCESS; /* found at least 1 valid CA file in the dir */
+ 				} else {
+ 					errcode = PR_GetError();
+ 					Debug( LDAP_DEBUG_TRACE,
+@@ -1412,14 +1421,6 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
+ 	}
+ done:
+ 	if ( status != PR_SUCCESS ) {
+-		const char *fmtstr = NULL;
+-		if ( cacertfile && cacertdir ) {
+-			fmtstr = "TLS: did not find any valid CA certificates in %s or %s\n";
+-		} else {
+-			fmtstr = "TLS: did not find any valid CA certificates in %s%s\n";
+-		}
+-		Debug( LDAP_DEBUG_ANY, fmtstr, cacertdir ? cacertdir : "",
+-			   cacertfile ? cacertfile : "", 0 );
+ 		return -1;
+ 	}
+ 

openldap.spec

@@ -28,6 +28,7 @@ Patch5: openldap-smbk5pwd-overlay.patch
 Patch6: openldap-ldaprc-currentdir.patch
 Patch7: openldap-userconfig-setgid.patch
 Patch8: openldap-nss-nofork.patch
+Patch9: openldap-nss-cacertdir-soft-error.patch
 
 # patches for the evolution library (see README.evolution)
 Patch200: openldap-evolution-ntlm.patch
@@ -128,6 +129,7 @@ pushd openldap-%{version}
 %patch6 -p1 -b .ldaprc-currentdir
 %patch7 -p1 -b .userconfig-setgid
 %patch8 -p1 -b .nss-nofork
+%patch9 -p1 -b .nss-cacertdir-soft-error
 
 cp %{_datadir}/libtool/config/config.{sub,guess} build/
 
@@ -656,6 +658,8 @@ exit 0
 - enable ldapi:/// interface by default
 - set cn=config management ACLs for root user, SASL external schema (#712495)
 - fix: server scriptlets require initscripts package (#716857)
+- fix: connection fails if TLS_CACERTDIR doesn't exist but TLS_REQCERT
+  is set to 'never' (#716854)
 
 * Fri Mar 18 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.24-2
 - new: system resource limiting for slapd using ulimit