[Date Prev][Date Next]
Re: (ITS#3554) enhancement: slurpd should use slapd's TLS configuration
Pierangelo Masarati wrote:
> I've noted a strange behavior today, while playing with TLS (see my
> recent commit to back-ldap/bind.c for the asynchronous starttls). I
> erroneously removed all the TLS related statements from slapd.conf,
> but left a valid ldaprc in the directory where I was starting slapd;
> the ldaprc was pointing to the same CA and server certs and key of the
> directives that were previously removed from slapd.conf. Well, the
> server was accepting operations with either -Z or -ZZ without any
> problem, much like if the directives were only defined in slapd.conf.
> I didn't investigate that too much because I was busy with other
> stuff, but apparently (most of) the TLS-related directives for slapd
> can be replaced by the corresponding in ldaprc (whenever available; I
> was not using client cert checking or so). Is this intended or not?
> Maybe I should have added this to the ITS; feel free to reply CCing
> the ITS if you deem it appropriate.
That sounds wrong. Looks like the code in slapd/main.c to set up an
alternate TLS context (slap_tls_ctx) is broken but I'm not sure and not
able to look into it at the moment. The original idea was to create a
tls_def_ctx that slapd's config statements modify, and then swap back to
the default context that libldap created by itself for anything that's
using libldap (like back-ldap). slapd will always use slap_tls_ctx for
its incoming TLS sessions, and that ctx should be invalid if there were
no TLS directives in the config file.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support