updateref and TLS: Is it possible?

["Brian" <openldap@sboss.org>]

Question: Is the use of TLS possible when specifying an updateref?

Problem: Updateref's do not work if security tls=128 is defined in
slapd.conf, even though ldapsearches using TLS work (eg ldapsearch -LLL -x
-ZZ -h ldap2.lab.sboss.org "(cn=johndoe)" uid).

Setup:
ldap.lab.sboss.org - load balancer
ldap1.lab.sboss.org - LDAP master
ldap2.lab.sboss.org - LDAP slave

For testing purposes, I am pointing ldap.conf's to ldap2 though in time
they'll point to ldap.

Master server:
replica         host=ldap2.lab.sboss.org:389
        tls=yes
        suffix="dc=sboss,dc=org"
        binddn="cn=admin,dc=sboss,dc=org"
        credentials=somepassword
        bindmethod=simple
replogfile      /var/lib/ldap/master-slapd.replog

Slave server:
updatedn        "cn=admin,dc=sboss,dc=org"
updateref       ldap://ldap1.lab.sboss.org

Replicating from master to slave works fine as, using ethereal, I can see
that the packets are encrypted.  The updateref is a different matter.

The ldap.conf on the test client box looks something like this (pointed to
the slave for testing purposes only):

host ldap2.lab.sboss.org
base dc=sboss,dc=org
pam_filter objectclass=account
pam_groupdn cn=PAM,ou=Group,dc=sboss,dc=org
ssl start_tls
tls_ciphers HIGH
pam_password md5

If I include something like "security tls=128" in the slapd.conf on either
box, attempts to change one's password fails with this on the master:

slapd[13600]: conn=4 op=0 RESULT tag=97 err=13 text=TLS confidentiality
required

Shouldn't the client automatically negotiate a TLS connection with the
server once it gets the updateref on the basis of the 'ssl start_tls'
section in its ldap.conf?

-- 
Brian