On Sat, Jul 20, 2019 at 11:28 AM Michael Ströder <mich...@stroeder.com> wrote:
> On 7/20/19 8:25 AM, Nikos Voutsinas wrote: > > In the view of the new openldap release, I ran some tests by using the > > current snapshot of the OPENLDAP_REL_ENG_2_4_48 tree > > Which snapshot? Really the latest 407ce9d prepared for release and with > latest mdb merge? > Yeap the one tagged for 2.4.48 > > > and based on my > > findings It seems that this build breaks the back_ldap backend when it > > is used with a remote ldaps:/// server. > > I have a similar config working just fine with git snapshot 407ce9d. > But I'm running this on openSUSE Tumbleweed with OpenLDAP linked against > OpenSSL. > Interesting .... > > > The testing environment was a Debian (Stable/Buster) and > > Openldap was compiled with the Debian's gnu TLS libs. > > Could you try to link with OpenSSL and test that to preclude that it's > an issue with GnuTLS? > Whenever it was a gnutls library issue, even the plain ldapsearch -H ldaps:// had problems. Now this is not the case, cmd line utils from the same build at the same remote ldaps:/// work. > > > TLS: peer cert untrusted or revoked (0x42) > > TLS: can't connect: (unknown error code). > > Could you try with gnutls-cli to check whether TLS just works? > gnutls-cli completes the handshake with out problem. It sees one perfect chain, and can successfully verify the remote server's cetrs (otherwise openldap client utils wouldn't have worked too). > Ciao, Michael. > >