unfortunately I cannot modify the company's LDAP server configuration.
The only way is to configure my PGSQL instance which is a client of LDAP server.
As the server, at the connection time, presents it's certificate, I need a way to tell PGSQL to trust it, adding somewhere the root CA certificate that's used to sign the LDAP certificate.
At system level (a Red Hat 7.6 server), the root CA self-signed certificate is already added as CA to be trusted, but seems PGSQL ignore that.
What can I do?
Thanks
Il giorno mar 19 nov 2019 alle ore 11:34 Thomas Munro <thomas.munro@gmail.com> ha scritto:
For example, in the automated regression tests we just put the following into a file we point to with $LDAPCONF:
TLS_REQCERT never
Without that, our simple LDAPS test fails with the same error you showed. Of course you probably want to actually verify your real server's certificate, so perhaps you need to put the self-signed cert into TLS_CACERT (so it's trusted as a CA to sign stuff, including itself).
I'm not sure why command line ldapsearch is working for you. I'd try using strace/truss to see what files it's opening to get that stuff, and compare with PostgreSQL (trace the main postmaster process using -f to follow children, and then try to log in).