= System Wide Change: OpenLDAP defaults to use only Shared System Certificates =
https://fedoraproject.org/wiki/Changes/OpenLDAPdefaultSharedSystemCertifi...
Change owner(s):
* Matus Honek <mhonek AT redhat DOT com>
In order to go forward with adoption of SharedSystemCertificates [1]
after this change OpenLDAP clients and server will default to use only
the system-wide certificates store.
== Detailed Description ==
Currently, OpenLDAP defaults to trust CA certificates located in
/etc/openldap/certs. In order to comply with SharedSystemCertificates
[1] we will remove the default explicit configuration options that
point to /etc/openldap/certs. Therefore, OpenLDAP will let its crypto
library (OpenSSL) load the default CA certificates as described in the
SharedSystemCertificates [1] description. For a convenience, where
possible, configuration files will contain a commentary with an
explanation of the new behaviour.
== Scope ==
* Proposal owners:
change of default shipped configuration.
* Other developers:
check your application trusts whom you want it to trust
* Release engineering:
https://pagure.io/releng/issue/7252
* List of deliverables:
N/A
* Policies and guidelines:
None.
* Trademark approval:
None. (not needed for this Change).
[1]
https://fedoraproject.org/wiki/Features/SharedSystemCertificates
--
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic