Hi all,
something I've found is that the openldap behaivour I've described really depend on the openldap version. With versions older that 2.4.44-15 (in SL) openldap only knows about Mozilla DB whereas in newer version it fallsback to OpenSSL and openldap then reads the certificates from the PKI store. IOW, with newer openldap there's no need to create the Mozilla DB.
# ldapsearch -d1 -x -H ldaps://ldapserver:3269 -b dc=domain,dc=com [101/4798]
ldap_url_parse_ext(ldaps://ldapserver:3269)
ldap_create
ldap_url_parse_ext(ldaps://ldapserver:3269/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldapserver:3269
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 1.2.3.4:3269
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLSMC: MozNSS compatibility interception begins.
tlsmc_intercept_initialization: INFO: entry options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `/etc/openldap/cacerts'
tlsmc_intercept_initialization: INFO: certfile = `(null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `/etc/openldap/cacerts'.
tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `/etc/openldap` prefix `cacerts`.
tlsmc_open_nssdb: WARN: could not initialize MozNSS context - error -8015.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
tlsmc_intercept_initialization: INFO: altered options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `/etc/openldap'
tlsmc_intercept_initialization: INFO: certfile = `(null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 2, err: 0, subject: /DC=com/DC=domain/CN=[....]
TLS certificate verification: depth: 1, err: 0, subject: /DC=com/DC=domain/CN=[...]
TLS certificate verification: depth: 0, err: 0, subject: /CN=ldapserver/emailAddress=[...]
ing CA 01
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
ldap_open_defconn: successful
HTH,
Arnau