ldapsearch fails on centos8 with Google LDAPS but works on Ubuntu 20.04 with work around

Question

My end goal is to use sssd and Google LDAPS but can tell if things will work with ldapsearch. Google LDAPS requires the Server Name Indication (SNI) extension. I have it working on Ubuntu 20.04 with a work around. Noted by the openldap maintainer ldapsearch can be made to work with the GnuTLS cipher suite 'NORMAL:!VERS-TLS1.3' forcing TLS1.2 which appears to do SNI.

LDAPTLS_CIPHER_SUITE='NORMAL:!VERS-TLS1.3' ./clients/tools/ldapsearch -H ldaps://ldap.google.com -x

The maintainer does not note a work around for ldapsearch compiled with openssl such as on CentOS 8. So as a test I compiled openldap 2.4.53 on CentOS 8 using --with-tls=gnutls to see if a replacement of openldap compiled with GnuTLS on CentOS 8 would accept the cipher to block TLS1.3 and provide the necessary SNI. This did not work (though the cipher seems to be acceptable given it does not produce an error), Google LDAPS still does not get its SNI so sends back an invalid certificate. And thus I'm stuck.

CentOS 8 (openldap[-clients]-2.4.46-10) and Ubuntu 20.04 (libldap-2.4-2 and ldap-utils 2.4.49+dfsg-2ubuntu1.3)

Anyone know how to get openldap (which is compiled with openssl) on CentOS 8 to send SNI such that it will work with Google LDAPS?

Answer 1

After doing more compares with Ubuntu 20.04 I found I needed to add

TLS_CACERT /etc/ssl/certs/ca-bundle.crt

to the ldap.conf for my 2.4.53 build linked to gnutls. Thus, I can try replacing openldap with a gnutls linked version and get back to testing sssd (which hopefully does not also need a rebuild). sssd has ldap_tls_cipher_suite to filter the gnutls ciphers. I noted that ldapsearch was not picking up TLS_CIPHER_SUITE from the 2.4.53 installed ldap.conf though.