Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

--On Sunday, July 21, 2019 10:54 PM +0200 Ondřej Kuzník wrote: On Sun, Jul 21, 2019 at 10:18:37AM -0700, Quanah Gibson-Mount wrote: Now you are providing conflicting answers. The man page for back-ldap makes zero reference to ldap.conf(5). It only mentions slapd.conf(5). The syncrepl

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

--On Sunday, July 21, 2019 11:16 PM +0100 Howard Chu wrote: I take this back. Pretty sure we've had this debate before, haven't found it in the list archive. We explicitly create a fresh TLS context in slapd, to eliminate any ldap.conf initialization defaults. Ok, so it's GnuTLS that had

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

Quanah Gibson-Mount wrote: > --On Sunday, July 21, 2019 10:54 PM +0100 Howard Chu wrote: >> Feel free to add a note to slapd.conf(5) / slapd-config(5) about TLS >> defaults. I take this back. Pretty sure we've had this debate before, haven't found it in the list archive. We explicitly create

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

--On Sunday, July 21, 2019 10:54 PM +0100 Howard Chu wrote: You claimed it was inconsistent because syncrepl refers to ldap.conf for network timeout settings while back-ldap makes no reference to ldap.conf. No, if you read my email, I was purely noting that again that the man pages make no

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

Quanah Gibson-Mount wrote: > --On Sunday, July 21, 2019 10:02 PM +0100 Howard Chu wrote: > >> As I already said: there is no reason for the syncrepl consumer and >> back-ldap to behave identically. The manpages are correct in each case. > > I've never said they should behave identically, and I

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

--On Sunday, July 21, 2019 10:02 PM +0100 Howard Chu wrote: As I already said: there is no reason for the syncrepl consumer and back-ldap to behave identically. The manpages are correct in each case. I've never said they should behave identically, and I do not fathom why you are so focussed

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

On Sun, Jul 21, 2019 at 10:18:37AM -0700, Quanah Gibson-Mount wrote: Generally, it seems to me we at the least have a documentation bug, in that back-ldap(5) and the syncrepl section of slapd.conf(5)/slapd-config(5) should note that they will rely on ldap.conf(5) in the absence of TLS (and

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

Quanah Gibson-Mount wrote: > --On Sunday, July 21, 2019 3:37 PM +0100 Howard Chu wrote: > >>> --On Sunday, July 21, 2019 2:51 AM +0100 Howard Chu >>> wrote: >>> The behavior is supposed to be exactly as specified in the manpages. >>> >> A syncrepl consumer is an LDAP client. A

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

On Sun, Jul 21, 2019 at 10:18:37AM -0700, Quanah Gibson-Mount wrote: > Now you are providing conflicting answers. The man page for back-ldap makes > zero reference to ldap.conf(5). It only mentions slapd.conf(5). The > syncrepl section of slapd.conf(5)/slapd-config(5) only mention the >

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

--On Sunday, July 21, 2019 3:37 PM +0100 Howard Chu wrote: --On Sunday, July 21, 2019 2:51 AM +0100 Howard Chu wrote: The behavior is supposed to be exactly as specified in the manpages. A syncrepl consumer is an LDAP client. A back-ldap backend is an LDAP client. Now you are

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

Quanah Gibson-Mount wrote: > --On Sunday, July 21, 2019 2:51 AM +0100 Howard Chu wrote: > >> The behavior is supposed to be exactly as specified in the manpages. >> >> There is no reason to expect back-ldap and syncrepl to be exactly alike; >> they perform different functions. > > You missed

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

On Sun, Jul 21, 2019 at 1:50 PM Michael Ströder wrote: > On 7/20/19 8:45 PM, Nikos Voutsinas wrote: > > Weird... My build of OPENLDAP_REL_ENG_2_4_48 on Debian/Buster against > > openssl was working, without using the olcTLSCACertificateFile. > > Why that happens is a good question. > > You

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

On 7/20/19 8:45 PM, Nikos Voutsinas wrote: > Weird... My build of OPENLDAP_REL_ENG_2_4_48 on Debian/Buster against > openssl was working, without using the olcTLSCACertificateFile. Why that happens is a good question. You probably have to dig a bit deeper and examine whether the OpenSSL lib

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

On 7/21/19 4:32 AM, Quanah Gibson-Mount wrote: > You missed the point.  It wasn't about syncrepl vs back-ldap, it was > about whether or not *anything* used in slapd should ever pull in data > from ldap.conf. From my understanding up to now ldap.conf was used in back-ldap and people make use of

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

--On Sunday, July 21, 2019 2:51 AM +0100 Howard Chu wrote: The behavior is supposed to be exactly as specified in the manpages. There is no reason to expect back-ldap and syncrepl to be exactly alike; they perform different functions. You missed the point. It wasn't about syncrepl vs

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

Quanah Gibson-Mount wrote: > --On Saturday, July 20, 2019 8:43 PM +0100 Howard Chu wrote: > >> As documented in slapd-ldap(5) >> >>> The  TLS  settings  default  to  the  same as the main >>> slapd TLS settings, except for tls_reqcert which defaults >>> to

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

--On Saturday, July 20, 2019 8:43 PM +0100 Howard Chu wrote: As documented in slapd-ldap(5) The TLS settings default to the same as the main slapd TLS settings, except for tls_reqcert which defaults to "demand". If that no longer works, then we

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

On Sat, Jul 20, 2019 at 9:31 PM Ryan Tandy wrote: > On Sat, Jul 20, 2019 at 09:40:53AM -0700, Quanah Gibson-Mount wrote: > >--On Saturday, July 20, 2019 3:55 PM +0300 Nikos Voutsinas > > wrote: > > > >>I am using the ldap.conf TLS params to provide the path to CAs. That's > >>the default way for

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

Ryan Tandy wrote: > On Sat, Jul 20, 2019 at 09:40:53AM -0700, Quanah Gibson-Mount wrote: >> --On Saturday, July 20, 2019 3:55 PM +0300 Nikos Voutsinas >> wrote: >> >>> I am using the ldap.conf TLS params to provide the path to CAs. That's >>> the default way for Debian. It works with 2.4.47, it

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

On Sat, Jul 20, 2019 at 4:46 PM Michael Ströder wrote: > On 7/20/19 3:41 PM, Michael Ströder wrote: > > On 7/20/19 1:31 PM, Nikos Voutsinas wrote: > >> Ok that can be done, although I am pretty sure that it will work with > >> OpenSSL since you have already tested a similar setup on openSUSE. >

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

On Sat, Jul 20, 2019 at 09:40:53AM -0700, Quanah Gibson-Mount wrote: --On Saturday, July 20, 2019 3:55 PM +0300 Nikos Voutsinas wrote: I am using the ldap.conf TLS params to provide the path to CAs. That's the default way for Debian. It works with 2.4.47, it also works for the 2.4.48

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

--On Saturday, July 20, 2019 3:55 PM +0300 Nikos Voutsinas wrote: I am using the ldap.conf TLS params to provide the path to CAs. That's the default way for Debian. It works with 2.4.47, it also works for the 2.4.48 openldap client utils) as I mentioned  earlier. ldap.conf is only for

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

On Sat, 20 Jul 2019 at 16:46, Michael Ströder wrote: > On 7/20/19 3:41 PM, Michael Ströder wrote: > > On 7/20/19 1:31 PM, Nikos Voutsinas wrote: > >> Ok that can be done, although I am pretty sure that it will work with > >> OpenSSL since you have already tested a similar setup on openSUSE. >

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

On Sat, 20 Jul 2019 at 14:42, Ondřej Kuzník wrote: > On Sat, Jul 20, 2019 at 09:25:17AM +0300, Nikos Voutsinas wrote: > > Hi all, > > > > In the view of the new openldap release, I ran some tests by using the > > current snapshot of the OPENLDAP_REL_ENG_2_4_48 tree and based on my > > findings

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

On Sat, 20 Jul 2019 at 13:00, Michael Ströder wrote: > On 7/20/19 10:51 AM, Nikos Voutsinas wrote: > > On Sat, Jul 20, 2019 at 11:28 AM Michael Ströder > > wrote: > > On 7/20/19 8:25 AM, Nikos Voutsinas wrote: > > > In the view of the new openldap release, I

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

On Sat, Jul 20, 2019 at 11:28 AM Michael Ströder wrote: > On 7/20/19 8:25 AM, Nikos Voutsinas wrote: > > In the view of the new openldap release, I ran some tests by using the > > current snapshot of the OPENLDAP_REL_ENG_2_4_48 tree > > Which snapshot? Really the latest 407ce9d prepared for

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

On 7/20/19 3:41 PM, Michael Ströder wrote: > On 7/20/19 1:31 PM, Nikos Voutsinas wrote: >> Ok that can be done, although I am pretty sure that it will work with >> OpenSSL since you have already tested a similar setup  on openSUSE. >> >> The idea here is to first confirm with others the problem

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

On 7/20/19 1:31 PM, Nikos Voutsinas wrote: > Ok that can be done, although I am pretty sure that it will work with > OpenSSL since you have already tested a similar setup  on openSUSE. > > The idea here is to first confirm with others the problem and then early > identify the change set that

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

On Sat, Jul 20, 2019 at 09:25:17AM +0300, Nikos Voutsinas wrote: > Hi all, > > In the view of the new openldap release, I ran some tests by using the > current snapshot of the OPENLDAP_REL_ENG_2_4_48 tree and based on my > findings It seems that this build breaks the back_ldap backend when it is

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

On 7/20/19 10:51 AM, Nikos Voutsinas wrote: > On Sat, Jul 20, 2019 at 11:28 AM Michael Ströder > wrote: > On 7/20/19 8:25 AM, Nikos Voutsinas wrote: > > In the view of the new openldap release, I ran some tests by using the > > current snapshot of the

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

On 7/20/19 8:25 AM, Nikos Voutsinas wrote: > In the view of the new openldap release, I ran some tests by using the > current snapshot of the OPENLDAP_REL_ENG_2_4_48 tree Which snapshot? Really the latest 407ce9d prepared for release and with latest mdb merge? > and based on my > findings It

back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

Hi all, In the view of the new openldap release, I ran some tests by using the current snapshot of the OPENLDAP_REL_ENG_2_4_48 tree and based on my findings It seems that this build breaks the back_ldap backend when it is used with a remote ldaps:/// server. In particular, the following snippet