On Sat, Jul 20, 2019 at 9:31 PM Ryan Tandy <r...@nardis.ca> wrote: > On Sat, Jul 20, 2019 at 09:40:53AM -0700, Quanah Gibson-Mount wrote: > >--On Saturday, July 20, 2019 3:55 PM +0300 Nikos Voutsinas > ><nvout...@gmail.com> wrote: > > > >>I am using the ldap.conf TLS params to provide the path to CAs. That's > >>the default way for Debian. It works with 2.4.47, it also works for the > >>2.4.48 openldap client utils) as I mentioned earlier. > > > >ldap.conf is only for client utilities. This is clearly described in > >the ldap.conf(5) man page. This sounds more to me like we've closed a > >bug with the GnuTLS implementation. > > This does appear to be what's happened. I confirm that in 2.4.47, > back_ldap does pick up the TLS_CACERT setting from ldap.conf, while in > 2.4.48 it does not. > > For the record, this is not specific to GnuTLS. I observe the same > difference with OpenSSL. >
Weird... My build of OPENLDAP_REL_ENG_2_4_48 on Debian/Buster against openssl was working, without using the olcTLSCACertificateFile. > > 6f623df (ITS#8427) is the commit that changed it, as expected. As I > understand it, the new behaviour is what's intended, although configs > might need updates per Ondrej's last message on the ITS (duplicating the > TLS settings for different connection types). > > Even if it's considered a bugfix, it might be worth calling out in the > release notes? Just for the sake of reducing support noise if people are > unintentionally depending on the old behaviour... > > Is there a global place in slapd where one can configure things like CA > cert and have it defaulted into all TLS clients? I'm not aware of one, > yet it seems like an obvious thing to provide... >