From f66a7d11b5ad6c6b9b155408863f5de82bb2d973 Mon Sep 17 00:00:00 2001
From: David Hill <dhill@redhat.com>
Date: Tue, 15 Mar 2022 12:21:05 -0400
Subject: Print a human readable error if tls certs are not provided

Print a human readable error if tls certs are not provided when using
ldaps:// or use_tls and not providing CA certificates.

Change-Id: I5d3613617278443673a265259351a2e1d5dc7f44
---
 keystone/identity/backends/ldap/common.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/keystone/identity/backends/ldap/common.py b/keystone/identity/backends/ldap/common.py
index 1033a4efd..e1399ec6a 100644
--- a/keystone/identity/backends/ldap/common.py
+++ b/keystone/identity/backends/ldap/common.py
@@ -603,6 +603,11 @@ def _common_ldap_initialization(url, use_tls=False, tls_cacertfile=None,
         if not ldap.TLS_AVAIL:
             raise ValueError(_('Invalid LDAP TLS_AVAIL option: %s. TLS '
                                'not available') % ldap.TLS_AVAIL)
+        if not tls_cacertfile and not tls_cacertdir:
+            raise ValueError(_('You need to set tls_cacertfile or '
+                               'tls_cacertdir if use_tls is true or '
+                               'url uses ldaps: scheme.'))
+
         if tls_cacertfile:
             # NOTE(topol)
             # python ldap TLS does not verify CACERTFILE or CACERTDIR
-- 
cgit v1.2.1