Ryan Tandy wrote: > On Sat, Jul 20, 2019 at 09:40:53AM -0700, Quanah Gibson-Mount wrote: >> --On Saturday, July 20, 2019 3:55 PM +0300 Nikos Voutsinas >> <nvout...@gmail.com> wrote: >> >>> I am using the ldap.conf TLS params to provide the path to CAs. That's >>> the default way for Debian. It works with 2.4.47, it also works for the >>> 2.4.48 openldap client utils) as I mentioned earlier. >> >> ldap.conf is only for client utilities. This is clearly described in the >> ldap.conf(5) man page. This sounds more to me like we've closed a bug with >> the >> GnuTLS implementation. > > This does appear to be what's happened. I confirm that in 2.4.47, back_ldap > does pick up the TLS_CACERT setting from ldap.conf, while in 2.4.48 it does > not. > > For the record, this is not specific to GnuTLS. I observe the same difference > with OpenSSL. > > 6f623df (ITS#8427) is the commit that changed it, as expected. As I > understand it, the new behaviour is what's intended, although configs might > need updates per > Ondrej's last message on the ITS (duplicating the TLS settings for different > connection types). > > Even if it's considered a bugfix, it might be worth calling out in the > release notes? Just for the sake of reducing support noise if people are > unintentionally > depending on the old behaviour... > > Is there a global place in slapd where one can configure things like CA cert > and have it defaulted into all TLS clients? I'm not aware of one, yet it > seems like > an obvious thing to provide...
As documented in slapd-ldap(5) > The TLS settings default to the same as the main slapd TLS > settings, except for tls_reqcert which defaults to "demand". If that no longer works, then we have yet another regression. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/