On Sat, Jul 20, 2019 at 11:28 AM Michael Ströder <mich...@stroeder.com>
wrote:

> On 7/20/19 8:25 AM, Nikos Voutsinas wrote:
> > In the view of the new openldap release, I ran some tests by using the
> > current snapshot of the OPENLDAP_REL_ENG_2_4_48 tree
>
> Which snapshot? Really the latest 407ce9d prepared for release and with
> latest mdb merge?
>

Yeap the one tagged for 2.4.48


>
> > and based on my
> > findings It seems that this build breaks the back_ldap backend when it
> > is used with a remote ldaps:/// server.
>
> I have a similar config working just fine with git snapshot 407ce9d.
> But I'm running this on openSUSE Tumbleweed with OpenLDAP linked against
> OpenSSL.
>

Interesting ....

>
> > The testing environment was a Debian (Stable/Buster) and
> > Openldap was compiled with the Debian's gnu TLS libs.
>
> Could you try to link with OpenSSL and test that to preclude that it's
> an issue with GnuTLS?
>

Whenever it was a gnutls library issue, even the plain ldapsearch -H
ldaps:// had problems. Now this is not the case, cmd line utils from the
same build at the same remote ldaps:/// work.


>
> > TLS: peer cert untrusted or revoked (0x42)
> > TLS: can't connect: (unknown error code).
>
> Could you try with gnutls-cli to check whether TLS just works?
>

gnutls-cli completes the handshake with out problem. It sees one perfect
chain, and can successfully verify the remote server's cetrs (otherwise
openldap client utils wouldn't have worked too).


> Ciao, Michael.
>
>

Reply via email to