On 7/20/19 8:25 AM, Nikos Voutsinas wrote:
> In the view of the new openldap release, I ran some tests by using the
> current snapshot of the OPENLDAP_REL_ENG_2_4_48 tree
Which snapshot? Really the latest 407ce9d prepared for release and with
latest mdb merge?
Yeap the one tagged for 2.4.48
> and based on my
> findings It seems that this build breaks the back_ldap backend when it
> is used with a remote ldaps:/// server.
I have a similar config working just fine with git snapshot 407ce9d.
But I'm running this on openSUSE Tumbleweed with OpenLDAP linked against
OpenSSL.
Interesting ....
> The testing environment was a Debian (Stable/Buster) and
> Openldap was compiled with the Debian's gnu TLS libs.
Could you try to link with OpenSSL and test that to preclude that it's
an issue with GnuTLS?
Whenever it was a gnutls library issue, even the plain ldapsearch -H ldaps:// had problems. Now this is not the case, cmd line utils from the same build at the same remote ldaps:/// work.
> TLS: peer cert untrusted or revoked (0x42)
> TLS: can't connect: (unknown error code).
Could you try with gnutls-cli to check whether TLS just works?
gnutls-cli completes the handshake with out problem. It sees one perfect chain, and can successfully verify the remote server's cetrs (otherwise openldap client utils wouldn't have worked too).
Ciao, Michael.