Re: Special identities and connections in proxy backends

[Aaron Richton <richton@nbcs.rutgers.edu>]

> Also on the topic of separate TLS contexts - currently the main slapd TLS 
> context is only used for incoming connections. The syncrepl consumer and any 
> other outbound connections use the TLS info in ldap.conf by default, not 
> slapd.conf. Some folks have suggested that it makes more sense for the 
> default to come from the main slapd settings instead. Any thoughts on that?

> From a libldap perspective, I'd say respect system-wide ldap.conf and 
treat the syncrepl consumer as an application-level override thereof. I 
don't think anybody on openldap-devel would have trouble with this.

However, I could see this getting messy to explain to newcomers on 
openldap-software and other end users of slapd(8), especially in the face 
of ugprades from "server-only" installations that never previously gave 
thought to ldap.conf. I think it might be happy medium to:

1. have overrides available in slapd.conf
2. one of the settings for the slapd.conf directives should be "use 
ldap.conf" which should be the default, however,
3. in the absence of (1) or (2), print something along the lines of 
"warning, no TLS configuration specified, using /foo/bar/ldap.conf" (if 
it's even possible to query that path from libldap?)


That way, there's still the complete flexibility, and unknowing users get 
a hint as to where that previously-unused configuration file might be 
biting them.