On Sat, Jul 20, 2019 at 9:31 PM Ryan Tandy <ryan@nardis.ca> wrote:
On Sat, Jul 20, 2019 at 09:40:53AM -0700, Quanah Gibson-Mount wrote:
>--On Saturday, July 20, 2019 3:55 PM +0300 Nikos Voutsinas
><nvoutsin@gmail.com> wrote:
>>I am using the ldap.conf TLS params to provide the path to CAs. That's
>>the default way for Debian. It works with 2.4.47, it also works for the
>>2.4.48 openldap client utils) as I mentioned  earlier.
>ldap.conf is only for client utilities.  This is clearly described in
>the ldap.conf(5) man page.  This sounds more to me like we've closed a
>bug with the GnuTLS implementation.

This does appear to be what's happened. I confirm that in 2.4.47,
back_ldap does pick up the TLS_CACERT setting from ldap.conf, while in
2.4.48 it does not.

For the record, this is not specific to GnuTLS. I observe the same
difference with OpenSSL.

Weird... My build of OPENLDAP_REL_ENG_2_4_48 on Debian/Buster against openssl was working, without using the olcTLSCACertificateFile.

6f623df (ITS#8427) is the commit that changed it, as expected. As I
understand it, the new behaviour is what's intended, although configs
might need updates per Ondrej's last message on the ITS (duplicating the
TLS settings for different connection types).

Even if it's considered a bugfix, it might be worth calling out in the
release notes? Just for the sake of reducing support noise if people are
unintentionally depending on the old behaviour...

Is there a global place in slapd where one can configure things like CA
cert and have it defaulted into all TLS clients? I'm not aware of one,
yet it seems like an obvious thing to provide...