On Sat, Jul 20, 2019 at 09:25:17AM +0300, Nikos Voutsinas wrote:
> Hi all,
>
> In the view of the new openldap release, I ran some tests by using the
> current snapshot of the OPENLDAP_REL_ENG_2_4_48 tree and based on my
> findings It seems that this build breaks the back_ldap backend when it is
> used with a remote ldaps:/// server.
>
> In particular, the following snippet of proxy bind configuration, which
> works on the same system, with the same remote ldaps:/// server /
> certificate and the 2.4.47 release, fails with the engineering release of
> 2.4.48. The testing environment was a Debian (Stable/Buster) and Openldap
> was compiled with the Debian's gnu TLS libs. Based on my previous
> experience I would have bet that this is a GNU TLS issue, however this
> seems to be a different case considering that the error happens only with
> the switch from the 2.4.47 to 2.4.48. Could this be another side effect of
> the related to ITS#8427 fixes?
>
> dn: olcDatabase={3}ldap,cn=config
> changetype: add
> objectClass: olcDatabaseConfig
> objectClass: olcLDAPConfig
> olcDatabase: {3}ldap
> olcAccess: to * by * manage
> olcSuffix: cn=authn
> olcRootDN: cn=admin,cn=authn
> olcRootPW: {SSHA}<REMOVED>
> olcDbURI: ldaps://remote-authn.acme.foo:636
>
> The debug output shows the following:
>
> TLS: peer cert untrusted or revoked (0x42)
> TLS: can't connect: (unknown error code).

Hi Nikos,
where/how do you set the CA certificates that slapd should trust?