Ryan Tandy wrote:
> On Sat, Jul 20, 2019 at 09:40:53AM -0700, Quanah Gibson-Mount wrote:
>> --On Saturday, July 20, 2019 3:55 PM +0300 Nikos Voutsinas 
>> <nvout...@gmail.com> wrote:
>>
>>> I am using the ldap.conf TLS params to provide the path to CAs. That's
>>> the default way for Debian. It works with 2.4.47, it also works for the
>>> 2.4.48 openldap client utils) as I mentioned  earlier.
>>
>> ldap.conf is only for client utilities.  This is clearly described in the 
>> ldap.conf(5) man page.  This sounds more to me like we've closed a bug with 
>> the
>> GnuTLS implementation.
> 
> This does appear to be what's happened. I confirm that in 2.4.47, back_ldap 
> does pick up the TLS_CACERT setting from ldap.conf, while in 2.4.48 it does 
> not.
> 
> For the record, this is not specific to GnuTLS. I observe the same difference 
> with OpenSSL.
> 
> 6f623df (ITS#8427) is the commit that changed it, as expected. As I 
> understand it, the new behaviour is what's intended, although configs might 
> need updates per
> Ondrej's last message on the ITS (duplicating the TLS settings for different 
> connection types).
> 
> Even if it's considered a bugfix, it might be worth calling out in the 
> release notes? Just for the sake of reducing support noise if people are 
> unintentionally
> depending on the old behaviour...
> 
> Is there a global place in slapd where one can configure things like CA cert 
> and have it defaulted into all TLS clients? I'm not aware of one, yet it 
> seems like
> an obvious thing to provide...

As documented in slapd-ldap(5)

>              The  TLS  settings  default  to  the  same as the main slapd TLS
>              settings, except for tls_reqcert which defaults to "demand".

If that no longer works, then we have yet another regression.

-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Reply via email to