On 25 Nov 2020, at 20:13, Viktor Ashirov <vashirov(a)redhat.com>
wrote:
On Wed, Nov 25, 2020 at 1:16 AM William Brown <wbrown(a)suse.de> wrote:
> On 25 Nov 2020, at 01:08, Ivanov Andrey (M.) <andrey.ivanov(a)polytechnique.fr>
wrote:
>
>
> But all in all i think i start to see where the problem comes from. dsconf version
1.4.2 uses /etc/openldap/ldap.conf (which in turn uses system pem bundle if no TLS_CACERT
is specified) for certs/CA. Starting from 1.4.3 dsconf ignores completely
/etc/openldap/ldap.conf file and pays attention only to its own .dsrc file. It explains
everything that i see. It's a bit pity that there is no global section in .dsrc like
in /etc/openldap/ldap.conf - one needs to create a section per ldap server, often with the
same parameters.
Well, it should be respecting the value from /etc/openldap/ldap.conf I think so this
seems like a fault ... Can you open an issue for this on github?
Looking at the changes between 1.4.2 and 1.4.3 python3-lib389 rpms, this seems to be the
change that introduced the issue:
https://github.com/389ds/389-ds-base/commit/938fb3478ba5c0f985f79d84876d6...
It sets explicitly ldap.OPT_X_TLS_REQUIRE_CERT to ldap.OPT_X_TLS_HARD:
https://github.com/389ds/389-ds-base/blob/e6e710b146b1d75d4f7c7b852a2bea3...
https://github.com/389ds/389-ds-base
Thanks
>
> Thanks again for help, it's clear for me now!
>
> Have a nice day! :)
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs, Australia
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
--
Viktor
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs, Australia