Re: LDAPS trusted ca support

Hi,
unfortunately I cannot modify the company's LDAP server configuration.
The only way is to configure my PGSQL instance which is a client of LDAP
server.
As the server, at the connection time, presents it's certificate, I need a
way to tell PGSQL to trust it, adding somewhere the root CA certificate
that's used to sign the LDAP certificate.
At system level (a Red Hat 7.6 server), the root CA self-signed certificate
is already added as CA to be trusted, but seems PGSQL ignore that.
What can I do?
Thanks

Il giorno mar 19 nov 2019 alle ore 11:34 Thomas Munro <
thomas(dot)munro(at)gmail(dot)com> ha scritto:

> On Sat, Nov 16, 2019 at 10:50 AM Marco Cuccato <mcuccato(dot)vts(at)gmail(dot)com>
> wrote:
> > Hi to all and thanks for the great job you're doing with PGSQL!
> > May you please check this question?
> >
> https://stackoverflow.com/questions/58747680/postgresql-ldap-authentication-with-ssl-self-signed-certificate
> > I can't figure out :(
>
> Hi,
>
> There are a bunch of files with names like ldap.conf that are searched
> for configuration by libldap.so (depending how it was built).
> https://www.openldap.org/software/man.cgi?query=ldap.conf describes
> the options.
>
> For example, in the automated regression tests we just put the
> following into a file we point to with $LDAPCONF:
>
> TLS_REQCERT never
>
> Without that, our simple LDAPS test fails with the same error you
> showed. Of course you probably want to actually verify your real
> server's certificate, so perhaps you need to put the self-signed cert
> into TLS_CACERT (so it's trusted as a CA to sign stuff, including
> itself).
>
> I'm not sure why command line ldapsearch is working for you. I'd try
> using strace/truss to see what files it's opening to get that stuff,
> and compare with PostgreSQL (trace the main postmaster process using
> -f to follow children, and then try to log in).
>