TLS: Use system trusted CA store by default

Resolves: #1270678, #1537259
2018-02-11 20:01:37 +01:00 · 2018-02-11 20:01:37 +01:00 · bdec46fdaf
commit bdec46fdaf
parent 44d9f0fe1b
2 changed files with 12 additions and 4 deletions
--- a/ldap.conf
+++ b/ldap.conf
@ -12,7 +12,10 @@
 #TIMELIMIT	15
 #DEREF		never

-TLS_CACERTDIR	/etc/openldap/certs
+# When no CA certificates are specified the Shared System Certificates
+# are in use. In order to have these available along with the ones specified
+# by TLS_CACERTDIR one has to include them explicitly:
+#TLS_CACERT	/etc/pki/tls/cert.pem

 # Turning this off breaks GSSAPI used with krb5 when rdns = false
 SASL_NOCANON	on
--- a/slapd.ldif
+++ b/slapd.ldif
@ -9,9 +9,14 @@ cn: config
 #
 # TLS settings
 #
-olcTLSCACertificatePath: /etc/openldap/certs
-olcTLSCertificateFile: "OpenLDAP Server"
-olcTLSCertificateKeyFile: /etc/openldap/certs/password
+# When no CA certificates are specified the Shared System Certificates
+# are in use. In order to have these available along with the ones specified
+# by oclTLSCACertificatePath one has to include them explicitly:
+#olcTLSCACertificateFile: /etc/pki/tls/cert.pem
+#
+# Private cert and key are not pregenerated.
+#olcTLSCertificateFile:
+#olcTLSCertificateKeyFile:

 #
 # Do not enable referrals until AFTER you have a working directory