On Thu, Jun 27, 2019 at 08:08:19PM +0000, a.chelouah@gmail.com wrote:
Hello,
Commit 6f623dfa1ca65698c19ccc6c058cd170e633384e fixing ITS#8427 (Set up TLS settings on each reconnection) introduce a regression when the proxy connect to the**Backend ldap server via ldaps://
The relevent part of my config is:
dn: olcDatabase={2}ldap,cn=config objectClass: olcDatabaseConfig objectClass: olcLDAPConfig olcDatabase: {2}ldap olcSuffix: dc=local olcDbURI: ldaps://ldap.local olcDbChaseReferrals: TRUE olcDbRebindAsUser: TRUE olcDbIDAssertBind: bindmethod=none tls_cacert=/etc/pki/tls/certs/ca.crt olcDbIDAssertAuthzFrom: "*"
(I also tried by setting LDAPTLS_CACERT env var when starting slapd)
On backend ldap server logs, I get the message "TLS negociation failure"
I've set up a test script here https://github.com/mistotebe/openldap/tree/its8427-regression
This runs without issues but if you replace olcDbStartTLS with an analogous olcDbIDAssertBind in the configs, it seems the CA certificate is not set for the connection.
I guess we've introduced a behaviour change with ITS#8427, not sure what the documentation implies should happen in these cases, whether the new behaviour is inconsistent with it or you've been relying on incorrect behaviour that has since been corrected.
Regards,