On Sat, Jul 20, 2019 at 9:31 PM Ryan Tandy <r...@nardis.ca> wrote:

> On Sat, Jul 20, 2019 at 09:40:53AM -0700, Quanah Gibson-Mount wrote:
> >--On Saturday, July 20, 2019 3:55 PM +0300 Nikos Voutsinas
> ><nvout...@gmail.com> wrote:
> >
> >>I am using the ldap.conf TLS params to provide the path to CAs. That's
> >>the default way for Debian. It works with 2.4.47, it also works for the
> >>2.4.48 openldap client utils) as I mentioned  earlier.
> >
> >ldap.conf is only for client utilities.  This is clearly described in
> >the ldap.conf(5) man page.  This sounds more to me like we've closed a
> >bug with the GnuTLS implementation.
>
> This does appear to be what's happened. I confirm that in 2.4.47,
> back_ldap does pick up the TLS_CACERT setting from ldap.conf, while in
> 2.4.48 it does not.
>
> For the record, this is not specific to GnuTLS. I observe the same
> difference with OpenSSL.
>

Weird... My build of OPENLDAP_REL_ENG_2_4_48 on Debian/Buster against
openssl was working, without using the olcTLSCACertificateFile.


>
> 6f623df (ITS#8427) is the commit that changed it, as expected. As I
> understand it, the new behaviour is what's intended, although configs
> might need updates per Ondrej's last message on the ITS (duplicating the
> TLS settings for different connection types).
>
> Even if it's considered a bugfix, it might be worth calling out in the
> release notes? Just for the sake of reducing support noise if people are
> unintentionally depending on the old behaviour...
>
> Is there a global place in slapd where one can configure things like CA
> cert and have it defaulted into all TLS clients? I'm not aware of one,
> yet it seems like an obvious thing to provide...
>

Reply via email to