So, following Howard's suggestion I did some testing with strace.
When back-ldap goes to make the proxy call I see an fopen for this file /appl/openldap/etc/openldap/tls/cacerts.cer which is the file I have explicitly configured. I then see an fopen for this file /appl/openldap/etc/openldap/tls/3a89cd48.0. I have no idea where this file name came from. If I copy the CA cert into this 3a89cd48.0 file or I symlink this file to my cacerts file the TLS handshake succeeds and the update is properly forwarded to the master. No matter what I specify in my configuration the TLS handshake only succeeds if the ca cert resides in the 3a89cd48.0 file.
JON C KIDDER | MIDDLEWARE ADMINISTRATOR LEAD JCKIDDER@AEP.COM | D:614.716.4970 1 RIVERSIDE PLAZA, COLUMBUS, OH 43215 -----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@symas.com] Sent: Monday, July 10, 2017 1:24 PM To: Jon C Kidder Cc: openldap-technical@OpenLDAP.org Subject: Re: [EXTERNAL] Re: back-ldap and ldaps not working
--On Saturday, July 08, 2017 4:53 PM +0200 Michael Ströder michael@stroeder.com wrote:
I vaguely remember there were bugs in back-ldap/back-meta ignoring TLS options. The work-around back then was to set env var LDAPTLS_CACERT and friends when starting slapd to let libldap pick up the TLS options from env.
Should be fixed in recent releases OpenLDAP though.
Ha, one of the few times I failed to ask what version of OpenLDAP was being used...
Jon, what OpenLDAP release are you running?
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.symas.com&d=DwIF... >