When using SSL with ldapsearch, the default is to demand certificate verification (see man ldap.conf, TLS_REQCERT). So, when no pointer to a certificate is specified in ldap.conf, this results in $ ldapsearch -H ldaps://ldap.example.com -x -LLL -b o=maintree -s base dn ldap_bind: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed which is normal behaviour. A workaround is to revert to the old behaviour by setting TLS_REQCERT to allow in /etc/openldap/ldap.conf, but in my case, I really want the demand setting. So, I created a directory /etc/openldap/ca-certs/ and put in the wanted ca-certs like explained in http://www.afp548.com/article.php?story=20071203011158936&mode=print My /etc/openldap/ldap.conf now looks like: TLS_REQCERT demand TLS_CACERTDIR /etc/openldap/ca-certs This made the ldapsearch command happy. However, after deleting all the ca-certs in /etc/openldap/ca-certs/ , the ldapsearch command is still happy which conflicts with the demand setting in /etc/openldap/ldap.conf! So basically, setting TLS_CACERTDIR to some existing directory (I also tested with an empty directory named /test ) is enough to make the ldapsearch command happy (just like setting TLS_REQCERT to allow). Reproducible: Always Steps to Reproduce: 1. create an empty directory /etc/openldap/ca-certs 2. put the following in /etc/openldap/ldap.conf TLS_REQCERT demand TLS_CACERTDIR /etc/openldap/ca-certs 3. ldapsearch -H ldaps://ldap.example.com -x -LLL -b o=maintree -s base dn Actual Results: the ldapsearch command happily queries the server Expected Results: the ldapsearch command should complain that certificate verify failed since no ca-certificate is installed in /etc/openldap/ca-certs # emerge --info Portage 2.1.4.4 (default-linux/x86/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.24.2 i686) ================================================================= System uname: 2.6.24.2 i686 Intel(R) Pentium(R) 4 CPU 2.80GHz Timestamp of tree: Thu, 27 Mar 2008 07:00:02 +0000 app-shells/bash: 3.2_p17-r1 dev-java/java-config: 1.3.7, 2.1.4 dev-lang/python: 2.4.4-r9 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.4_p6, 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -mtune=i686 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-O2 -mtune=i686 -pipe" DISTDIR="/data/linux/gentoo/distfiles" FEATURES="distlocks metadata-transfer sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="C" LINGUAS="en en_US en_GB nl de" MAKEOPTS="-j2" PKGDIR="/data/linux/gentoo/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/compile" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac acl alsa apache2 apm berkdb cli cracklib crypt cups dri dvd dvdr dvdread encode esd exif fortran gdbm gif gnome gpm gstreamer gtk iconv imlib ipv6 isdnlog java jpeg ldap mad midi mikmod mmx mng mozilla mp3 mpeg mplayer mudflap ncurses nls nptl nptlonly nsplugin ogg opengl openmp oss pam pcre pdf perl png ppd pppd python qt qt3 qt4 quicktime readline reflection samba sdl session spell spl sse ssl svg tcpd tiff truetype unicode v4l v4l2 vcd vorbis wmf x86 xml xorg xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse wacom" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_US en_GB nl de" USERLAND="GNU" VIDEO_CARDS="vesa fbdev i810 mga" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
It looks like this issue is solved in the current version of openldap. The LDAP server I use has an official certificate issued by Cybertrust (GTE CyberTrust Global Root), but still there is a softlink missing in /etc/ssl/certs which I had to create manually: # openssl x509 -hash -noout -in /etc/ssl/certs/GTE_CyberTrust_Global_Root.pem 4d654d1d # cd /etc/ssl/certs # ln -s GTE_CyberTrust_Global_Root.pem 4d654d1d.0 Now, /etc/ssl/certs should be specified as TLS_CACERTDIR in /etc/openldap/ldap.conf: # vi /etc/openldap/ldap.conf TLS_REQCERT demand TLS_CACERTDIR /etc/ssl/certs After this, the ldap utilities like ldapsearch are happy :) So, my conclusion is, there is a softlink missing in /etc/ssl/certs: 4d654d1d.0 -> GTE_CyberTrust_Global_Root.pem Looks like /etc/ssl/certs/GTE_CyberTrust_Global_Root.pem is not registered in the package database # q qfile /etc/ssl/certs/GTE_CyberTrust_Global_Root.pem but # ls -l /etc/ssl/certs/GTE_CyberTrust_Global_Root.pem lrwxrwxrwx 1 root root 65 sep 10 00:15 /etc/ssl/certs/GTE_CyberTrust_Global_Root.pem -> /usr/share/ca-certificates/mozilla/GTE_CyberTrust_Global_Root.crt # q qfile /usr/share/ca-certificates/mozilla/GTE_CyberTrust_Global_Root.crt app-misc/ca-certificates (/usr/share/ca-certificates/mozilla/GTE_CyberTrust_Global_Root.crt) So I think app-misc/ca-certificates is missing the link or maybe openssl is missing the link since all other *.0 files are in the openssl package: # q qfile /etc/ssl/certs/*.0 dev-libs/openssl (/etc/ssl/certs/0481cb65.0) dev-libs/openssl (/etc/ssl/certs/0dbd0096.0) dev-libs/openssl (/etc/ssl/certs/1e49180d.0) dev-libs/openssl (/etc/ssl/certs/2edf7016.0) dev-libs/openssl (/etc/ssl/certs/2fb1850a.0) dev-libs/openssl (/etc/ssl/certs/56e607f4.0) dev-libs/openssl (/etc/ssl/certs/6adf0799.0) dev-libs/openssl (/etc/ssl/certs/7651b327.0) dev-libs/openssl (/etc/ssl/certs/7a9820c1.0) dev-libs/openssl (/etc/ssl/certs/843b6c51.0) dev-libs/openssl (/etc/ssl/certs/878cf4c6.0) dev-libs/openssl (/etc/ssl/certs/a3c60019.0) dev-libs/openssl (/etc/ssl/certs/aad3d04d.0) dev-libs/openssl (/etc/ssl/certs/bda4cc84.0) dev-libs/openssl (/etc/ssl/certs/c33a80d4.0) dev-libs/openssl (/etc/ssl/certs/cdd7aee7.0) dev-libs/openssl (/etc/ssl/certs/d4e39186.0) dev-libs/openssl (/etc/ssl/certs/ddc328ff.0) dev-libs/openssl (/etc/ssl/certs/f73e89fd.0) Anyway, the /etc/ssl/certs/4d654d1d.0 link is missing.
evert: please test per these instructions: 1. get rid of your manual softlink 2. emerge ca-certificates 3. etc-update 4. emerge ca-certificates 5. check for softlink again
I did: 1. rm /etc/ssl/certs/4d654d1d.0 2. emerge -av1 ca-certificates 3. etc-update 4. emerge -av1 ca-certificates 5. ls -ld /etc/ssl/certs/4d654d1d.0 ls: cannot access /etc/ssl/certs/4d654d1d.0: No such file or directory Note: /etc/ssl/certs/* belongs to dev-libs/openssl-0.9.8g-r2 /usr/share/ca-certificates/* belongs to app-misc/ca-certificates-20080514-r2 I think that is very strange too! I would expect both directories to belong to app-misc/ca-certificates!
/etc/ssl/certs as the directory belongs to openssl. The contents are symlinks into /usr/share/ca-certificates that are NOT owned by any package, but ARE create by the update-ca-certificates script called by postinst of ca-certificates. However, I do see the problem. If the hex symlink gets removed, but NOT the named one, update-ca-certificates doesn't run the rehash, causing the hash symlink not to get re-created. Fixed instructions: 1. rm -f /etc/ssl/certs/4d654d1d.0 /etc/ssl/GTE_CyberTrust_Global_Root.pem 2. emerge -av1 ca-certificates 3. etc-update 4. emerge -av1 ca-certificates 5. ls -ld /etc/ssl/certs/4d654d1d.0 You can skip 2+3 if it isn't an upgrade. The only reason I listed it twice was for old users that didn't get the postinst before.
Great! So in fact it would be better to get rid of /etc/ssl/certs completely and remerge openssl and ca-certificates? Well, after having done what you told me, I did: 1. mv /etc/ssl/certs /etc/ssl/certs.bak 2. emerge -av1 openssl ca-certificates 3. ls -ld /etc/ssl/certs/*.0 Isn't it possible to include those hash links as part of the package so those links are registered in the package database /var/db/pkg/*/*/CONTENTS ?
FYI, update-ca-certificates --fresh also fixes the symlinks!
No, we don't want the named or hash symlinks to be part of the CONTENTS, because the user may have other certificates that override them with update-ca-certificates. --fresh is an option, but only for manual runs, since it can kill any manually created symlinks. We need some way that it only removes ones it installed, as well as any that are broken symlinks.
I thought that's what CONFIG_PROTECT is for! But I see what you mean, portage ignores CONFIG_PROTECT for symlinks, also when mtime and/or "value" of the symlink differs from what is registered in the CONTENTS database. I think that's a problem of portage! The dead links part could be easily done like this: find /etc/ssl/certs/ -type l | (while read symlink; do [ -e "$symlink" ] || rm -- "$symlink"; done) Anyway, , I'm closing this bug since my problem is solved :) Thanx for the support!
evert: easier way to find broken symlinks: # find -L $DIR -type l
That's a lot easier indeed, thanx for the tip Robin! :)