Re: (ITS#3554) enhancement: slurpd should use slapd's TLS configuration

[hyc@symas.com]

Pierangelo Masarati wrote:

> Howard,
>
> I've noted a strange behavior today, while playing with TLS (see my 
> recent commit to back-ldap/bind.c for the asynchronous starttls).  I 
> erroneously removed all the TLS related statements from slapd.conf, 
> but left a valid ldaprc in the directory where I was starting slapd; 
> the ldaprc was pointing to the same CA and server certs and key of the 
> directives that were previously removed from slapd.conf.  Well, the 
> server was accepting operations with either -Z or -ZZ without any 
> problem, much like if the directives were only defined in slapd.conf.  
> I didn't investigate that too much because I was busy with other 
> stuff, but apparently (most of) the TLS-related directives for slapd 
> can be replaced by the corresponding in ldaprc (whenever available; I 
> was not using client cert checking or so).  Is this intended or not?  
> Maybe I should have added this to the ITS; feel free to reply CCing 
> the ITS if you deem it appropriate.    

That sounds wrong. Looks like the code in slapd/main.c to set up an 
alternate TLS context (slap_tls_ctx) is broken but I'm not sure and not 
able to look into it at the moment. The original idea was to create a 
tls_def_ctx that slapd's config statements modify, and then swap back to 
the default context that libldap created by itself for anything that's 
using libldap (like back-ldap). slapd will always use slap_tls_ctx for 
its incoming TLS sessions, and that ctx should be invalid if there were 
no TLS directives in the config file.

-- 
  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support