ca-certificates required for mod_ldap + mod_authnz_ldap with ldaps://

[rmibelgium]

With FROM httpd:2.4.53-bullseye

Using LoadModule authnz_ldap_module modules/mod_authnz_ldap.so LoadModule ldap_module modules/mod_ldap.so

<Directory "/web/"> AuthLDAPUrl "ldaps://ldapserver1 ldapserver2 ldapserver13/ou=People,dc=our,dc=organisation,dc=be?uid,cn,mail,gidNumber" AuthType Basic AuthBasicProvider ldap Require ldap-group cn=group1,ou=People,dc=our,dc=organisation,dc=be

The only error message I can get in error_log (even with LogLevel debug) is [Fri Apr 29 09:01:30.932273 2022] [authnz_ldap:info] [pid 38:tid 140135614097152] [client XXXXX:62127] AH01695: auth_ldap authenticate: user stephane authentication failed; URI /testURI/ [LDAP: ldap_simple_bind() failed][Can't contact LDAP server]

After doing apt update && apt install ca-certificates

Everything is working correctly.

Don't know what would be better: image modification, specification in the documentation or better debug messages from mod_ldap.

[tianon]

I guess there are probably other features of httpd probably also can reach out to external services that might benefit from CA certificates, but I do wonder how common it is, especially with services that have a real valid certificate that ca-certificates would include? I suppose the scaffolding around update-ca-certificates is useful regardless, though, and I think we only get that with ca-certificates installed so it probably makes sense to include in the image.