On Wed, Jul 10, 2019 at 04:48:55PM +0000, hyc(a)symas.com wrote: > ondra(a)mistotebe.net wrote: >> On Thu, Jun 27, 2019 at 08:08:19PM +0000, a.chelouah(a)gmail.com wrote: >>> Hello, >>> >>> Commit 6f623dfa1ca65698c19ccc6c058cd170e633384e fixing ITS#8427 (Set=

>>> TLS settings on each reconnection) introduce a regression when the p=

>>> connect to the**Backend ldap server via ldaps:// >>> >>> The relevent part of my config is: >>> >>> dn: olcDatabase=3D{2}ldap,cn=3Dconfig >>> objectClass: olcDatabaseConfig >>> objectClass: olcLDAPConfig >>> olcDatabase: {2}ldap >>> olcSuffix: dc=3Dlocal >>> olcDbURI: ldaps://ldap.local >>> olcDbChaseReferrals: TRUE >>> olcDbRebindAsUser: TRUE >>> olcDbIDAssertBind: bindmethod=3Dnone tls_cacert=3D/etc/pki/tls/certs=

>>> olcDbIDAssertAuthzFrom: "*" >>> >>> (I also tried by setting LDAPTLS_CACERT env var when starting slapd) >>> >>> On backend ldap server logs, I get the message "TLS negociation fail=

>> >> I've set up a test script here >> https://github.com/mistotebe/openldap/tree/its8427-regression >> >> This runs without issues but if you replace olcDbStartTLS with an >> analogous olcDbIDAssertBind in the configs, it seems the CA certifica=

>> is not set for the connection. > > Then this is a new bug. Clearly the idassert-bind option takes tls_cac=

> as a parameter, so if it is provided it is expected to be used. =20 Sure, on idassert connections only, though. When does back-ldap use one=

I want to edit the linked script to do exercise that so we have a decen=

test for this now.