Friday, September 20, 2013

TLS: warning: cacertdir not implemented for gnutls

I got this error recently while trying to use ldap utilities and libraries. In the debug output from an ldapsearch, I noticed the distinct error:
TLS: warning: cacertdir not implemented for gnutls
This error comes up when you try and use the TLS_CACERTDIR directive in your ldap configuration. Googling for answers was somewhat fruitless, the first complaints of the problem started many years ago. People said it happened when the openldap packages were compiled against gnutls instead of openssl, which apparently does not support the tls_cacertdir option. The general consensus was therefor to not use that directive.

I didn't turn up anything about a fix. The current versions of the openldap packages are still broken all these years later. Although I expected to fail (there had to be reason no one did this before, right??) I tried the obvious solution and it worked.

$ mkdir /tmp/openldap
$ cd !$
$ sudo apt-get source openldap
$ sudo apt-get build-dep openldap
$ sudo apt-get install libssl-dev
$ sudo vim openldap-2.4.31/debian/configure.options

Change --with-tls=gnutls to --with-tls=openssl

$ sudo apt-get -b --no-download source openldap

Go have some lunch, mow the lawn, maybe a pub crawl. The amount incredible amount of hardcore testing that's been integrated into the build process is amazing, but it takes a while.

$ sudo dpkg --install ldap-utils_2.4.31-1ubuntu2.1_amd64.deb \
    libldap-2.4-2_2.4.31-1ubuntu2.1_amd64.deb \
    libldap2-dev_2.4.31-1ubuntu2.1_amd64.deb
$ ldapsearch -LLL -h ldap-server.example.com -D uid=andy,ou=foo,dc=example,dc=com -b dc=example,dc=com -ZZ -W uid=andy cn
Enter LDAP Password:
dn: uid=andy,ou=foo,dc=example,dc=com
cn: Andy Harrison

The other applications I was using that relied on the ldap libraries started working immediately as well.