Ond=C5=99ej Kuzn=C3=ADk wrote:
> On Wed, Jul 10, 2019 at 04:48:55PM +0000, h...@symas.com wrote:
>> on...@mistotebe.net wrote:
>>> On Thu, Jun 27, 2019 at 08:08:19PM +0000, a.chelo...@gmail.com wrote:
>>>> Hello,
>>>>
>>>> Commit 6f623dfa1ca65698c19ccc6c058cd170e633384e fixing ITS#8427 (Set=
up=20
>>>> TLS settings on each reconnection) introduce a regression when the p=
roxy=20
>>>> connect to the**Backend ldap server via ldaps://
>>>>
>>>> The relevent part of my config is:
>>>>
>>>> dn: olcDatabase=3D{2}ldap,cn=3Dconfig
>>>> objectClass: olcDatabaseConfig
>>>> objectClass: olcLDAPConfig
>>>> olcDatabase: {2}ldap
>>>> olcSuffix: dc=3Dlocal
>>>> olcDbURI: ldaps://ldap.local
>>>> olcDbChaseReferrals: TRUE
>>>> olcDbRebindAsUser: TRUE
>>>> olcDbIDAssertBind: bindmethod=3Dnone tls_cacert=3D/etc/pki/tls/certs=
/ca.crt
>>>> olcDbIDAssertAuthzFrom: "*"
>>>>
>>>> (I also tried by setting LDAPTLS_CACERT env var when starting slapd)
>>>>
>>>> On backend ldap server logs, I get the message "TLS negociation fail=
ure"
>>>
>>> I've set up a test script here
>>> https://github.com/mistotebe/openldap/tree/its8427-regression
>>>
>>> This runs without issues but if you replace olcDbStartTLS with an
>>> analogous olcDbIDAssertBind in the configs, it seems the CA certifica=
te
>>> is not set for the connection.
>>
>> Then this is a new bug. Clearly the idassert-bind option takes tls_cac=
ert
>> as a parameter, so if it is provided it is expected to be used.
>=20
> Sure, on idassert connections only, though. When does back-ldap use one=
?
> I want to edit the linked script to do exercise that so we have a decen=
t
> test for this now.
idassert is used when you want back-ldap to propagate the incoming client=
's
identity to the remote server. It affects every operation that a client i=
ssues.
--=20
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
