As mentioned earlier in this bug report, the TLS_CACERTDIR configuration directive stopped working when the openldap packages were linked to the GNUTLS library. (At least in the Lucid version, the ldap.conf man page specifcially mentions this issue: TLS_CACERTDIR <path> Specifies the path of a directory that contains Certifi‐
cate Authority certificates in separate individual files.
The TLS_CACERT is always used before TLS_CACERTDIR. This parameter is ignored with GNUtls.
)
However, it's worth mentioning that when the Debian/Ubuntu ca-certificates package (or more specificially, the "update-ca-certficates script) uses the user's "enabled certificate" configuration choices to populate the /etc/ssl/certs directory, it also creates a single file, /etc/ssl/certs/ca-certificates.crt, containing all of the trusted certificates that it has processed.
So, if one is trying to just use the standard system-wide list of trusted certificates, changing the old config line from
TLS_CACERTDIR /etc/ssl/certs
into
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
should work as desired (with GNUTLS).
(It should be possible to do the same thing in /etc/ldap.conf for the libpam-ldap/libpam-nss packages -- or in /etc/nslcd.conf for the nscld package -- though it seems like you have to spell it "TLS_CACERTFILE" instead of "TLS_CACERT" there.)
As mentioned earlier in this bug report, the TLS_CACERTDIR configuration directive stopped working when the openldap packages were linked to the GNUTLS library. (At least in the Lucid version, the ldap.conf man page specifcially mentions this issue:
TLS_CACERTDIR <path>
Specifies the path of a directory that contains Certifi‐
parameter is ignored with GNUtls.
cate Authority certificates in separate individual files.
The TLS_CACERT is always used before TLS_CACERTDIR. This
)
However, it's worth mentioning that when the Debian/Ubuntu ca-certificates package (or more specificially, the "update- ca-certficates script) uses the user's "enabled certificate" configuration choices to populate the /etc/ssl/certs directory, it also creates a single file, /etc/ssl/ certs/ca- certificates. crt, containing all of the trusted certificates that it has processed.
So, if one is trying to just use the standard system-wide list of trusted certificates, changing the old config line from certs/ca- certificates. crt
TLS_CACERTDIR /etc/ssl/certs
into
TLS_CACERT /etc/ssl/
should work as desired (with GNUTLS).
(It should be possible to do the same thing in /etc/ldap.conf for the libpam- ldap/libpam- nss packages -- or in /etc/nslcd.conf for the nscld package -- though it seems like you have to spell it "TLS_CACERTFILE" instead of "TLS_CACERT" there.)
Nathan