ldapsearch ignores TLS_CACERT from /etc/ldap/ldap.conf but gladly reads ~/.ldapcert.pem

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Could you post the complete ldapsearch command line you've used?

abo@ginnungagap:~$ cat /etc/ldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE dc=dsl,dc=dk
URI ldap://admin1.dsl.lan

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERT /etc/ssl/certs/cacert.pem
SSL start_tls

abo@ginnungagap:~$ ldapsearch -x -D "cn=admin,dc=dsl,dc=dk" -Z -W uid=abo cn
ldap_start_tls: Connect error (-11)
Enter LDAP Password:
ldap_result: Can't contact LDAP server (-1)

abo@ginnungagap:~$ cp /etc/ssl/certs/cacert.pem .ldapcert.pem

abo@ginnungagap:~$ ldapsearch -x -D "cn=admin,dc=dsl,dc=dk" -Z -W uid=abo cn
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=dsl,dc=dk> (default) with scope subtree
# filter: uid=abo
# requesting: cn
#

# abo, people, dsl.dk
dn: uid=abo,ou=people,dc=dsl,dc=dk
cn: Anders Bruun Olsen

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

Might just be a shot in the dark, but what are the permissions of
/etc/ssl/certs/cacert.pem?
 Can the abo user read the file?

Thanks.

--
Party On,
Adam

The file was copied by the user abo, so yes.

I'm also experiencing this same issue. My /etc/ssl/certs/cacert.pem is 0644 and owned by root:root on both my ldap server. Also it seems that my ldap servers are able to sync with each other over TLS/SSL but ldapsearch doesn't seem to work for unless I put "TLS_REQCERT allow" into ~/.ldaprc. I don't know how to set this globally since /etc/ldap.conf and /etc/ldap/ldap.conf seem to ignore this value. Also I don't know how I can get my ubuntu servers to use ldap for authentication over TLS/SSL until this issue is resolved.

[Expired for openldap (Ubuntu) because there has been no activity for 60 days.]