Hello,
Le 20/06/2024 à 19:26, Howard Chu a écrit :
David Coutadeur wrote:
Hi everyone,
I have encountered a strange use case today while configuring a 2 openldap multi-master cluster.
I don't have the full configuration, but here are the main parameters:
openldap-ltb, built with openssl
each server listens only on port 636, TLS is configured with parameters olcTLSCertificateFile and olcTLSCertificateKeyFile (but no olcTLSCACertificateFile)
each server tries to connect to the other on port 636 with the olcSyncrepl parameter. In olcSyncrepl, I have configured tls_cacert and tls_reqcert=demand
basically, synchronisation is working (tested both ways), and TLS is working too (including for the replication connection)
Here is the strange behaviour:
- if I remove the tls_cacert from the olcSyncrepl line, or
That would be due to the fix to ITS#8529, commit 4962dd6083ae0fe722eb23a618ad39e47611429b
Many thanks for the pointer! Ok, so I understand what's going on now.
- if I configure tls_cacert to a file that does not exist
Not sure but I'll assume OpenSSL just didn't care.
after I restart slapd, the synchronization keeps working both ways.
Though, if I configure tls_cacert to a certificate file that haven't signed my server certificate, the synchronization fails with the expected error message.
Does anyone understand why ca certificate validation is ignored in my case?
Does OpenLDAP rely on any external system for finding ca certificates ? I have checked slapd-config documentation, it does not seem there is.
Thanks in advance for your help!