On Wed, Nov 25, 2020 at 1:16 AM William Brown <[email protected]> wrote:
> > > > On 25 Nov 2020, at 01:08, Ivanov Andrey (M.) < > [email protected]> wrote: > > > > > > But all in all i think i start to see where the problem comes from. > dsconf version 1.4.2 uses /etc/openldap/ldap.conf (which in turn uses > system pem bundle if no TLS_CACERT is specified) for certs/CA. Starting > from 1.4.3 dsconf ignores completely /etc/openldap/ldap.conf file and pays > attention only to its own .dsrc file. It explains everything that i see. > It's a bit pity that there is no global section in .dsrc like in > /etc/openldap/ldap.conf - one needs to create a section per ldap server, > often with the same parameters. > > Well, it should be respecting the value from /etc/openldap/ldap.conf I > think so this seems like a fault ... Can you open an issue for this on > github? > Looking at the changes between 1.4.2 and 1.4.3 python3-lib389 rpms, this seems to be the change that introduced the issue: https://github.com/389ds/389-ds-base/commit/938fb3478ba5c0f985f79d84876d643e9453d15c#diff-10fad34fdcb9556b5901c8f5a1532a4caea0f316546d292ecd30da9b9a6593afL1024 It sets explicitly ldap.OPT_X_TLS_REQUIRE_CERT to ldap.OPT_X_TLS_HARD: https://github.com/389ds/389-ds-base/blob/e6e710b146b1d75d4f7c7b852a2bea33d4cd76d8/src/lib389/lib389/__init__.py#L970-L979 > > https://github.com/389ds/389-ds-base > > Thanks > > > > > Thanks again for help, it's clear for me now! > > > > Have a nice day! :) > > — > Sincerely, > > William Brown > > Senior Software Engineer, 389 Directory Server > SUSE Labs, Australia > _______________________________________________ > 389-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] > -- Viktor
_______________________________________________ 389-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
