Every single article/how-to/blog on openldap talks about putting the ldap cert for ldaps in the /etc/openldap/cacerts directory.
I am wondering why not just put the cert(s) in /etc/pki/tls/certs and make a symbolic link between /etc/openldap/cacerts -> /etc/pki/tls/certs? That way all certs are in one place on the system and not spread out in various directories.
Best Answer
Not specific to openldap, this is generally done for security reasons:
the software package in question may do a
chroot
into its own directory within/etc
, and would then be unable to follow any symbolic links outside of the changed rootthe software may be programmed in such a way as to specifically prohibit it from following any kind of symbolic links in the first place
It's all done in order to ensure that any kind of exploit would be limited and isolated to one piece of software, and the adversary would have a harder time accessing arbitrary files on the filesystem.