[email protected] wrote: > On Thu, Jun 27, 2019 at 08:08:19PM +0000, [email protected] wrote: >> Hello, >> >> Commit 6f623dfa1ca65698c19ccc6c058cd170e633384e fixing ITS#8427 (Set up >> TLS settings on each reconnection) introduce a regression when the proxy >> connect to the**Backend ldap server via ldaps:// >> >> The relevent part of my config is: >> >> dn: olcDatabase={2}ldap,cn=config >> objectClass: olcDatabaseConfig >> objectClass: olcLDAPConfig >> olcDatabase: {2}ldap >> olcSuffix: dc=local >> olcDbURI: ldaps://ldap.local >> olcDbChaseReferrals: TRUE >> olcDbRebindAsUser: TRUE >> olcDbIDAssertBind: bindmethod=none tls_cacert=/etc/pki/tls/certs/ca.crt >> olcDbIDAssertAuthzFrom: "*" >> >> (I also tried by setting LDAPTLS_CACERT env var when starting slapd) >> >> On backend ldap server logs, I get the message "TLS negociation failure" > > I've set up a test script here > https://github.com/mistotebe/openldap/tree/its8427-regression > > This runs without issues but if you replace olcDbStartTLS with an > analogous olcDbIDAssertBind in the configs, it seems the CA certificate > is not set for the connection.
Then this is a new bug. Clearly the idassert-bind option takes tls_cacert as a parameter, so if it is provided it is expected to be used. > > I guess we've introduced a behaviour change with ITS#8427, not sure what > the documentation implies should happen in these cases, whether the new > behaviour is inconsistent with it or you've been relying on incorrect > behaviour that has since been corrected. > > Regards, > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
