Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

[Quanah Gibson-Mount <quanah@symas.com>]

--On Saturday, July 20, 2019 8:43 PM +0100 Howard Chu <hyc@symas.com> wrote:

> As documented in slapd-ldap(5)
>
> >              The  TLS  settings  default  to  the  same as the main
> >              slapd TLS settings, except for tls_reqcert which defaults
> >              to "demand".
>
> If that no longer works, then we have yet another regression.

I guess the underlying question is, if they aren't in slapd.conf, where do 
slapd clients (syncrepl, back-ldap, etc) get them from?  For example, 
syncrepl is clearly designed to get at least one setting from ldap.conf:


             The  network-timeout  parameter  sets how long the consumer 
will
             wait to establish a network connection to the provider.  Once 
a
             connection  is established, the timeout parameter determines 
how
             long the consumer will wait for  the  initial  Bind  request 
to
             complete.   The   defaults   for   these  parameters  come 
from
             ldap.conf(5).

So is it supposed to be that the configuration levels are:

slapd client (syncrepl, back-ldap specific parameters)
override
slapd configuration (slapd.conf(5), slapd-config(5) parameters)

Or is it supposed to be:

slapd client (syncrepl, back-ldap specific parameters)
override
slapd configuration (slapd.conf(5), slapd-config(5) parameters)
override
ldap.conf(5)

If it's the former, then syncrepl should not pull anything from ldap.conf. 
If it's the latter, then we have a clear regression.

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>