On Sat, Jul 20, 2019 at 09:25:17AM +0300, Nikos Voutsinas wrote: > Hi all, > > In the view of the new openldap release, I ran some tests by using the > current snapshot of the OPENLDAP_REL_ENG_2_4_48 tree and based on my > findings It seems that this build breaks the back_ldap backend when it is > used with a remote ldaps:/// server. > > In particular, the following snippet of proxy bind configuration, which > works on the same system, with the same remote ldaps:/// server / > certificate and the 2.4.47 release, fails with the engineering release of > 2.4.48. The testing environment was a Debian (Stable/Buster) and Openldap > was compiled with the Debian's gnu TLS libs. Based on my previous > experience I would have bet that this is a GNU TLS issue, however this > seems to be a different case considering that the error happens only with > the switch from the 2.4.47 to 2.4.48. Could this be another side effect of > the related to ITS#8427 fixes? > > dn: olcDatabase={3}ldap,cn=config > changetype: add > objectClass: olcDatabaseConfig > objectClass: olcLDAPConfig > olcDatabase: {3}ldap > olcAccess: to * by * manage > olcSuffix: cn=authn > olcRootDN: cn=admin,cn=authn > olcRootPW: {SSHA}<REMOVED> > olcDbURI: ldaps://remote-authn.acme.foo:636 > > The debug output shows the following: > > TLS: peer cert untrusted or revoked (0x42) > TLS: can't connect: (unknown error code).
Hi Nikos, where/how do you set the CA certificates that slapd should trust? Thanks, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP