Re: LDAPS trusted ca support

On Sat, Nov 16, 2019 at 10:50 AM Marco Cuccato <mcuccato.vts@gmail.com> wrote:
> Hi to all and thanks for the great job you're doing with PGSQL!
> May you please check this question?
> https://stackoverflow.com/questions/58747680/postgresql-ldap-authentication-with-ssl-self-signed-certificate
> I can't figure out :(

Hi,

There are a bunch of files with names like ldap.conf that are searched
for configuration by libldap.so (depending how it was built).
https://www.openldap.org/software/man.cgi?query=ldap.conf describes
the options.

For example, in the automated regression tests we just put the
following into a file we point to with $LDAPCONF:

TLS_REQCERT never

Without that, our simple LDAPS test fails with the same error you
showed.  Of course you probably want to actually verify your real
server's certificate, so perhaps you need to put the self-signed cert
into TLS_CACERT (so it's trusted as a CA to sign stuff, including
itself).

I'm not sure why command line ldapsearch is working for you.  I'd try
using strace/truss to see what files it's opening to get that stuff,
and compare with PostgreSQL (trace the main postmaster process using
-f to follow children, and then try to log in).