Package: libgnutls30 Version: 3.7.0-3 Severity: wishlist Hi,
I was just bitten by https://github.com/SSSD/sssd/issues/5444. Briefly: * sssd relies on libldap to query LDAP servers. * libldap can be linked against libssl (openssl) or gnutls for SSL/TLS support. * libssl supports an ldap_tls_cacertdir option; you can point it to /etc/ssl/certs and it'll trust all CA certificates that are in this directory. * gnutls doesn't have this cacertdir mechanism and needs `ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt` instead. * my sssd.conf only had ldap_tls_cacertdir, not ldap_tls_cacert; thus, gnutls didn't know which CA certificates to trust and failed to validate my LDAP server certificates. * The root cause of the problem only became visible after enabling LDAP library debugging in sssd.conf. I think I shouldn't need to specify `ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt` when using a Debian package, since this is the default location of trusted CA certificates in Debian. Configuration should only be necessary for non-default setups. Best regards, AndrĂ¡s -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (350, 'unstable'), (350, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Init: runit (via /run/runit.stopit) -- no debconf information
