On Sat, Jul 20, 2019 at 11:28 AM Michael Ströder <michael@stroeder.com> wrote:
On 7/20/19 8:25 AM, Nikos Voutsinas wrote:
> In the view of the new openldap release, I ran some tests by using the
> current snapshot of the OPENLDAP_REL_ENG_2_4_48 tree

Which snapshot? Really the latest 407ce9d prepared for release and with
latest mdb merge?

Yeap the one tagged for 2.4.48

> and based on my
> findings It seems that this build breaks the back_ldap backend when it
> is used with a remote ldaps:/// server.

I have a similar config working just fine with git snapshot 407ce9d.
But I'm running this on openSUSE Tumbleweed with OpenLDAP linked against

Interesting .... 

> The testing environment was a Debian (Stable/Buster) and
> Openldap was compiled with the Debian's gnu TLS libs.

Could you try to link with OpenSSL and test that to preclude that it's
an issue with GnuTLS?
Whenever it was a gnutls library issue, even the plain ldapsearch -H ldaps:// had problems. Now this is not the case, cmd line utils from the same build at the same remote ldaps:/// work.

> TLS: peer cert untrusted or revoked (0x42)
> TLS: can't connect: (unknown error code).

Could you try with gnutls-cli to check whether TLS just works?

gnutls-cli completes the handshake with out problem. It sees one perfect chain, and can successfully verify the remote server's cetrs (otherwise openldap client utils wouldn't have worked too).

Ciao, Michael.