On Sat, Jul 20, 2019 at 11:28 AM Michael Ströder michael@stroeder.com wrote:
On 7/20/19 8:25 AM, Nikos Voutsinas wrote:
In the view of the new openldap release, I ran some tests by using the current snapshot of the OPENLDAP_REL_ENG_2_4_48 tree
Which snapshot? Really the latest 407ce9d prepared for release and with latest mdb merge?
Yeap the one tagged for 2.4.48
and based on my findings It seems that this build breaks the back_ldap backend when it is used with a remote ldaps:/// server.
I have a similar config working just fine with git snapshot 407ce9d. But I'm running this on openSUSE Tumbleweed with OpenLDAP linked against OpenSSL.
Interesting ....
The testing environment was a Debian (Stable/Buster) and Openldap was compiled with the Debian's gnu TLS libs.
Could you try to link with OpenSSL and test that to preclude that it's an issue with GnuTLS?
Whenever it was a gnutls library issue, even the plain ldapsearch -H ldaps:// had problems. Now this is not the case, cmd line utils from the same build at the same remote ldaps:/// work.
TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code).
Could you try with gnutls-cli to check whether TLS just works?
gnutls-cli completes the handshake with out problem. It sees one perfect chain, and can successfully verify the remote server's cetrs (otherwise openldap client utils wouldn't have worked too).
Ciao, Michael.