Greg Martin wrote:
I'm running a non-production 2.3.27 slapd server on my home network.
I had to transfer it to another machine so I copied the conf file &
database files to the new machine. Before starting the service I
edited the slapd.conf to comment out the TLS entries since I hadn't
installed openssl & the cert yet.
<snip>
On a lark, I took a look at ldap.conf which I had copied from my old
server as well. It still had
TLS_CACERT /etc/ssl/myca/cacert.pem
TLS_REQCERT allow
Actually, there's been a little bit of confusion about this.
ldap.conf(5) is indeed the client configuration file, which is read by
default by the libldap client library. However, slapd contains a
little bit of client functionality, for example what's used by
syncrepl consumer to contact the provider, or the proxy backends
back-ldap & back-meta (there might be more I'm not considering right
now). The first time any libldap related function call is invoked,
the library itself is initialized, and ldap.conf(5) is parsed. This
is typically harmless, as none of the defaults in ldap.conf(5) is
used, __except__ TLS. If this is not required, you can disable it by
setting LDAPNOINIT in the environment. In HEAD (and 2.4) code, also
client-related TLS can be specified in slapd.conf(5), so parsing of
ldap.conf(5) could be entirely disabled (we'll need to consider that
option, at least). Hope this clarifies.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team