[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Regression after ITS#8427 fix with back-ldap
- To: openldap-its@OpenLDAP.org
- Subject: Re: Regression after ITS#8427 fix with back-ldap
- From: hyc@symas.com
- Date: Wed, 10 Jul 2019 16:48:55 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
ondra@mistotebe.net wrote:
> On Thu, Jun 27, 2019 at 08:08:19PM +0000, a.chelouah@gmail.com wrote:
>> Hello,
>>
>> Commit 6f623dfa1ca65698c19ccc6c058cd170e633384e fixing ITS#8427 (Set up
>> TLS settings on each reconnection) introduce a regression when the proxy
>> connect to the**Backend ldap server via ldaps://
>>
>> The relevent part of my config is:
>>
>> dn: olcDatabase={2}ldap,cn=config
>> objectClass: olcDatabaseConfig
>> objectClass: olcLDAPConfig
>> olcDatabase: {2}ldap
>> olcSuffix: dc=local
>> olcDbURI: ldaps://ldap.local
>> olcDbChaseReferrals: TRUE
>> olcDbRebindAsUser: TRUE
>> olcDbIDAssertBind: bindmethod=none tls_cacert=/etc/pki/tls/certs/ca.crt
>> olcDbIDAssertAuthzFrom: "*"
>>
>> (I also tried by setting LDAPTLS_CACERT env var when starting slapd)
>>
>> On backend ldap server logs, I get the message "TLS negociation failure"
>
> I've set up a test script here
> https://github.com/mistotebe/openldap/tree/its8427-regression
>
> This runs without issues but if you replace olcDbStartTLS with an
> analogous olcDbIDAssertBind in the configs, it seems the CA certificate
> is not set for the connection.
Then this is a new bug. Clearly the idassert-bind option takes tls_cacert
as a parameter, so if it is provided it is expected to be used.
>
> I guess we've introduced a behaviour change with ITS#8427, not sure what
> the documentation implies should happen in these cases, whether the new
> behaviour is inconsistent with it or you've been relying on incorrect
> behaviour that has since been corrected.
>
> Regards,
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/