Ok sorry for the mail before I misunderstood your suggestion.
I verified the ldap.conf file and the TLS_CACERT parameter points to a PEM file which already contains the certificate that signs the LDAP server certificate.
Il giorno lun 25 nov 2019 alle ore 16:07 Marco Cuccato <mcuccato.vts@gmail.com> ha scritto:
Hi,
unfortunately I cannot modify the company's LDAP server configuration.
The only way is to configure my PGSQL instance which is a client of LDAP server.
As the server, at the connection time, presents it's certificate, I need a way to tell PGSQL to trust it, adding somewhere the root CA certificate that's used to sign the LDAP certificate.
At system level (a Red Hat 7.6 server), the root CA self-signed certificate is already added as CA to be trusted, but seems PGSQL ignore that.
What can I do?
Thanks
Il giorno mar 19 nov 2019 alle ore 11:34 Thomas Munro <thomas.munro@gmail.com> ha scritto:
For example, in the automated regression tests we just put the following into a file we point to with $LDAPCONF:
TLS_REQCERT never
Without that, our simple LDAPS test fails with the same error you showed. Of course you probably want to actually verify your real server's certificate, so perhaps you need to put the self-signed cert into TLS_CACERT (so it's trusted as a CA to sign stuff, including itself).
I'm not sure why command line ldapsearch is working for you. I'd try using strace/truss to see what files it's opening to get that stuff, and compare with PostgreSQL (trace the main postmaster process using -f to follow children, and then try to log in).