From bdec46fdafce949b88f36cb2055e1ec3f2c721f4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C3=BA=C5=A1=20Hon=C4=9Bk?= <mhonek@redhat.com>
Date: Sun, 11 Feb 2018 20:01:37 +0100
Subject: [PATCH] TLS: Use system trusted CA store by default

Resolves: #1270678, #1537259
---
 ldap.conf  |  5 ++++-
 slapd.ldif | 11 ++++++++---
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/ldap.conf b/ldap.conf
index 84bddc1..3069535 100644
--- a/ldap.conf
+++ b/ldap.conf
@@ -12,7 +12,10 @@
 #TIMELIMIT	15
 #DEREF		never
 
-TLS_CACERTDIR	/etc/openldap/certs
+# When no CA certificates are specified the Shared System Certificates
+# are in use. In order to have these available along with the ones specified
+# by TLS_CACERTDIR one has to include them explicitly:
+#TLS_CACERT	/etc/pki/tls/cert.pem
 
 # Turning this off breaks GSSAPI used with krb5 when rdns = false
 SASL_NOCANON	on
diff --git a/slapd.ldif b/slapd.ldif
index 4105131..b9ba4f9 100644
--- a/slapd.ldif
+++ b/slapd.ldif
@@ -9,9 +9,14 @@ cn: config
 #
 # TLS settings
 #
-olcTLSCACertificatePath: /etc/openldap/certs
-olcTLSCertificateFile: "OpenLDAP Server"
-olcTLSCertificateKeyFile: /etc/openldap/certs/password
+# When no CA certificates are specified the Shared System Certificates
+# are in use. In order to have these available along with the ones specified
+# by oclTLSCACertificatePath one has to include them explicitly:
+#olcTLSCACertificateFile: /etc/pki/tls/cert.pem
+#
+# Private cert and key are not pregenerated.
+#olcTLSCertificateFile:
+#olcTLSCertificateKeyFile:
 
 #
 # Do not enable referrals until AFTER you have a working directory