[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Regression after ITS#8427 fix with back-ldap

To: openldap-its@OpenLDAP.org
Subject: Re: Regression after ITS#8427 fix with back-ldap
From: ondra@mistotebe.net
Date: Tue, 09 Jul 2019 12:14:09 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

On Thu, Jun 27, 2019 at 08:08:19PM +0000, a.chelouah@gmail.com wrote:
> Hello,
> 
> Commit 6f623dfa1ca65698c19ccc6c058cd170e633384e fixing ITS#8427 (Set up 
> TLS settings on each reconnection) introduce a regression when the proxy 
> connect to the**Backend ldap server via ldaps://
> 
> The relevent part of my config is:
> 
> dn: olcDatabase={2}ldap,cn=config
> objectClass: olcDatabaseConfig
> objectClass: olcLDAPConfig
> olcDatabase: {2}ldap
> olcSuffix: dc=local
> olcDbURI: ldaps://ldap.local
> olcDbChaseReferrals: TRUE
> olcDbRebindAsUser: TRUE
> olcDbIDAssertBind: bindmethod=none tls_cacert=/etc/pki/tls/certs/ca.crt
> olcDbIDAssertAuthzFrom: "*"
> 
> (I also tried by setting LDAPTLS_CACERT env var when starting slapd)
> 
> On backend ldap server logs, I get the message "TLS negociation failure"

I've set up a test script here
https://github.com/mistotebe/openldap/tree/its8427-regression

This runs without issues but if you replace olcDbStartTLS with an
analogous olcDbIDAssertBind in the configs, it seems the CA certificate
is not set for the connection.

I guess we've introduced a behaviour change with ITS#8427, not sure what
the documentation implies should happen in these cases, whether the new
behaviour is inconsistent with it or you've been relying on incorrect
behaviour that has since been corrected.

Regards,

-- 
OndÅ?ej KuznÃk
Senior Software Engineer
Symas Corporation                       http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP

Prev by Date: Re: (ITS#9051) slapo-accesslog fails to log compare, search
Next by Date: Re: Regression after ITS#8427 fix with back-ldap
Index(es):
- Chronological
- Thread