[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48
Ryan Tandy wrote:
> On Sat, Jul 20, 2019 at 09:40:53AM -0700, Quanah Gibson-Mount wrote:
>> --On Saturday, July 20, 2019 3:55 PM +0300 Nikos Voutsinas <nvoutsin@gmail.com> wrote:
>>
>>> I am using the ldap.conf TLS params to provide the path to CAs. That's
>>> the default way for Debian. It works with 2.4.47, it also works for the
>>> 2.4.48 openldap client utils) as I mentioned earlier.
>>
>> ldap.conf is only for client utilities. This is clearly described in the ldap.conf(5) man page. This sounds more to me like we've closed a bug with the
>> GnuTLS implementation.
>
> This does appear to be what's happened. I confirm that in 2.4.47, back_ldap does pick up the TLS_CACERT setting from ldap.conf, while in 2.4.48 it does not.
>
> For the record, this is not specific to GnuTLS. I observe the same difference with OpenSSL.
>
> 6f623df (ITS#8427) is the commit that changed it, as expected. As I understand it, the new behaviour is what's intended, although configs might need updates per
> Ondrej's last message on the ITS (duplicating the TLS settings for different connection types).
>
> Even if it's considered a bugfix, it might be worth calling out in the release notes? Just for the sake of reducing support noise if people are unintentionally
> depending on the old behaviour...
>
> Is there a global place in slapd where one can configure things like CA cert and have it defaulted into all TLS clients? I'm not aware of one, yet it seems like
> an obvious thing to provide...
As documented in slapd-ldap(5)
> The TLS settings default to the same as the main slapd TLS
> settings, except for tls_reqcert which defaults to "demand".
If that no longer works, then we have yet another regression.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/