Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

[Howard Chu <hyc@symas.com>]

Quanah Gibson-Mount wrote:
> --On Saturday, July 20, 2019 8:43 PM +0100 Howard Chu <hyc@symas.com> wrote:
> 
>> As documented in slapd-ldap(5)
>>
>>>              The  TLS  settings  default  to  the  same as the main
>>>              slapd TLS settings, except for tls_reqcert which defaults
>>>              to "demand".
>>
>> If that no longer works, then we have yet another regression.
> 
> I guess the underlying question is, if they aren't in slapd.conf, where do slapd clients (syncrepl, back-ldap, etc) get them from?  For example, syncrepl is
> clearly designed to get at least one setting from ldap.conf:
> 
> 
>              The  network-timeout  parameter  sets how long the consumer will
>              wait to establish a network connection to the provider.  Once a
>              connection  is established, the timeout parameter determines how
>              long the consumer will wait for  the  initial  Bind  request to
>              complete.   The   defaults   for   these  parameters  come from
>              ldap.conf(5).
> 
> So is it supposed to be that the configuration levels are:
> 
> slapd client (syncrepl, back-ldap specific parameters)
> override
> slapd configuration (slapd.conf(5), slapd-config(5) parameters)

> Or is it supposed to be:
> 
> slapd client (syncrepl, back-ldap specific parameters)
> override
> slapd configuration (slapd.conf(5), slapd-config(5) parameters)
> override
> ldap.conf(5)
> 
> If it's the former, then syncrepl should not pull anything from ldap.conf. If it's the latter, then we have a clear regression.

The behavior is supposed to be exactly as specified in the manpages.

There is no reason to expect back-ldap and syncrepl to be exactly alike; they perform different functions.

-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/