@@ -575,7 +575,7 @@ nsdb_start_tls(LDAP *ld, const char *certfile, unsigned int *ldap_err)
return FEDFS_ERR_INVAL;
xlog(D_CALL, "%s: Using certfile %s", __func__, certfile);
- rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, certfile);
+ rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, certfile);
if (rc != LDAP_OPT_SUCCESS) {
xlog(D_GENERAL, "%s: Failed to set NSDB certificate: %s",
__func__, ldap_err2string(rc));
@@ -583,7 +583,7 @@ nsdb_start_tls(LDAP *ld, const char *certfile, unsigned int *ldap_err)
}
value = LDAP_OPT_X_TLS_HARD;
- rc = ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &value);
+ rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &value);
if (rc != LDAP_OPT_SUCCESS) {
xlog(D_GENERAL, "%s: Failed to set "
"LDAP_OPT_X_TLS_REQUIRE_CERT: %s",
Use the CACERTFILE option, not the CERTFILE option when specifying our certificate file. This will cause the SSL library to use only the certificates specified in that file, rather than searching globally on the local system. LDAP_OPT_X_TLS_REQUIRE_CERT and LDAP_OPT_X_TLS_CACERTFILE must be set on the global LDAP descriptor. This is because the LDAP descriptor's SSL/TLS context is initialized from the global descriptor's settings. Without these two fixes, STARTTLS does not work. Introduced in commit 0520ee72 "Initial commit" Tue Mar 29 15:37:40 2011. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> --- src/libnsdb/ldap.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-)