Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

--On Sunday, July 21, 2019 2:51 AM +0100 Howard Chu wrote: The behavior is supposed to be exactly as specified in the manpages. There is no reason to expect back-ldap and syncrepl to be exactly alike; they perform different functions. You missed the point. It wasn't about syncrepl vs back-l

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

Quanah Gibson-Mount wrote: > --On Saturday, July 20, 2019 8:43 PM +0100 Howard Chu wrote: > >> As documented in slapd-ldap(5) >> >>> The  TLS  settings  default  to  the  same as the main >>> slapd TLS settings, except for tls_reqcert which defaults >>> to "

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

--On Saturday, July 20, 2019 8:43 PM +0100 Howard Chu wrote: As documented in slapd-ldap(5) The TLS settings default to the same as the main slapd TLS settings, except for tls_reqcert which defaults to "demand". If that no longer works, then we h

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

On Sat, Jul 20, 2019 at 9:31 PM Ryan Tandy wrote: > On Sat, Jul 20, 2019 at 09:40:53AM -0700, Quanah Gibson-Mount wrote: > >--On Saturday, July 20, 2019 3:55 PM +0300 Nikos Voutsinas > > wrote: > > > >>I am using the ldap.conf TLS params to provide the path to CAs. That's > >>the default way for

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

Ryan Tandy wrote: > On Sat, Jul 20, 2019 at 09:40:53AM -0700, Quanah Gibson-Mount wrote: >> --On Saturday, July 20, 2019 3:55 PM +0300 Nikos Voutsinas >> wrote: >> >>> I am using the ldap.conf TLS params to provide the path to CAs. That's >>> the default way for Debian. It works with 2.4.47, it a

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

On Sat, Jul 20, 2019 at 4:46 PM Michael Ströder wrote: > On 7/20/19 3:41 PM, Michael Ströder wrote: > > On 7/20/19 1:31 PM, Nikos Voutsinas wrote: > >> Ok that can be done, although I am pretty sure that it will work with > >> OpenSSL since you have already tested a similar setup on openSUSE. >

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

On Sat, Jul 20, 2019 at 09:40:53AM -0700, Quanah Gibson-Mount wrote: --On Saturday, July 20, 2019 3:55 PM +0300 Nikos Voutsinas wrote: I am using the ldap.conf TLS params to provide the path to CAs. That's the default way for Debian. It works with 2.4.47, it also works for the 2.4.48 openldap

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

--On Saturday, July 20, 2019 3:55 PM +0300 Nikos Voutsinas wrote: I am using the ldap.conf TLS params to provide the path to CAs. That's the default way for Debian. It works with 2.4.47, it also works for the 2.4.48 openldap client utils) as I mentioned  earlier. ldap.conf is only for client

Re: Drop support for GNUTLS and libnss in 2.5?

--On Saturday, July 20, 2019 1:13 PM +0200 Michael Ströder wrote: The support for libnss was done by RedHat for the unified crypto project which is AFAICS obsolete. Does anybody maintain the stuff? There's already an ITS for removing the MozNSS bits from 2.5 somewhere, IIRC. But yes, that'

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

On Sat, 20 Jul 2019 at 16:46, Michael Ströder wrote: > On 7/20/19 3:41 PM, Michael Ströder wrote: > > On 7/20/19 1:31 PM, Nikos Voutsinas wrote: > >> Ok that can be done, although I am pretty sure that it will work with > >> OpenSSL since you have already tested a similar setup on openSUSE. > >>

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

On Sat, 20 Jul 2019 at 14:42, Ondřej Kuzník wrote: > On Sat, Jul 20, 2019 at 09:25:17AM +0300, Nikos Voutsinas wrote: > > Hi all, > > > > In the view of the new openldap release, I ran some tests by using the > > current snapshot of the OPENLDAP_REL_ENG_2_4_48 tree and based on my > > findings It

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

On Sat, 20 Jul 2019 at 13:00, Michael Ströder wrote: > On 7/20/19 10:51 AM, Nikos Voutsinas wrote: > > On Sat, Jul 20, 2019 at 11:28 AM Michael Ströder > > wrote: > > On 7/20/19 8:25 AM, Nikos Voutsinas wrote: > > > In the view of the new openldap release, I

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

On Sat, Jul 20, 2019 at 11:28 AM Michael Ströder wrote: > On 7/20/19 8:25 AM, Nikos Voutsinas wrote: > > In the view of the new openldap release, I ran some tests by using the > > current snapshot of the OPENLDAP_REL_ENG_2_4_48 tree > > Which snapshot? Really the latest 407ce9d prepared for relea

Re: Drop support for GNUTLS and libnss in 2.5?

On Sat, Jul 20, 2019 at 12:13:38PM +0200, Michael Ströder wrote: The support for GNUTLS was requested by Debian folks because of OpenSSL licensing paranoia. Does anybody maintain the stuff? As the Debian maintainer I consider the GnuTLS support primarily my responsibility at this point, so yes

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

On 7/20/19 3:41 PM, Michael Ströder wrote: > On 7/20/19 1:31 PM, Nikos Voutsinas wrote: >> Ok that can be done, although I am pretty sure that it will work with >> OpenSSL since you have already tested a similar setup  on openSUSE. >> >> The idea here is to first confirm with others the problem and

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

On 7/20/19 1:31 PM, Nikos Voutsinas wrote: > Ok that can be done, although I am pretty sure that it will work with > OpenSSL since you have already tested a similar setup  on openSUSE. > > The idea here is to first confirm with others the problem and then early > identify the change set that trigg

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

On Sat, Jul 20, 2019 at 09:25:17AM +0300, Nikos Voutsinas wrote: > Hi all, > > In the view of the new openldap release, I ran some tests by using the > current snapshot of the OPENLDAP_REL_ENG_2_4_48 tree and based on my > findings It seems that this build breaks the back_ldap backend when it is >

Drop support for GNUTLS and libnss in 2.5?

HI! IMHO OpenLDAP project should drop support for building against GNUTLS and libnss. Support for these seems to be largely non-existent and it's a waste of time, especially since there is no build pipeline and no automatic testing for all the variants. The support for libnss was done by RedHat f

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

On 7/20/19 10:51 AM, Nikos Voutsinas wrote: > On Sat, Jul 20, 2019 at 11:28 AM Michael Ströder > wrote: > On 7/20/19 8:25 AM, Nikos Voutsinas wrote: > > In the view of the new openldap release, I ran some tests by using the > > current snapshot of the OPENL

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

On 7/20/19 8:25 AM, Nikos Voutsinas wrote: > In the view of the new openldap release, I ran some tests by using the > current snapshot of the OPENLDAP_REL_ENG_2_4_48 tree Which snapshot? Really the latest 407ce9d prepared for release and with latest mdb merge? > and based on my > findings It seem

back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

Hi all, In the view of the new openldap release, I ran some tests by using the current snapshot of the OPENLDAP_REL_ENG_2_4_48 tree and based on my findings It seems that this build breaks the back_ldap backend when it is used with a remote ldaps:/// server. In particular, the following snippet o