[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48
Quanah Gibson-Mount wrote:
> --On Saturday, July 20, 2019 8:43 PM +0100 Howard Chu <hyc@symas.com> wrote:
>
>> As documented in slapd-ldap(5)
>>
>>> The TLS settings default to the same as the main
>>> slapd TLS settings, except for tls_reqcert which defaults
>>> to "demand".
>>
>> If that no longer works, then we have yet another regression.
>
> I guess the underlying question is, if they aren't in slapd.conf, where do slapd clients (syncrepl, back-ldap, etc) get them from? For example, syncrepl is
> clearly designed to get at least one setting from ldap.conf:
>
>
> The network-timeout parameter sets how long the consumer will
> wait to establish a network connection to the provider. Once a
> connection is established, the timeout parameter determines how
> long the consumer will wait for the initial Bind request to
> complete. The defaults for these parameters come from
> ldap.conf(5).
>
> So is it supposed to be that the configuration levels are:
>
> slapd client (syncrepl, back-ldap specific parameters)
> override
> slapd configuration (slapd.conf(5), slapd-config(5) parameters)
> Or is it supposed to be:
>
> slapd client (syncrepl, back-ldap specific parameters)
> override
> slapd configuration (slapd.conf(5), slapd-config(5) parameters)
> override
> ldap.conf(5)
>
> If it's the former, then syncrepl should not pull anything from ldap.conf. If it's the latter, then we have a clear regression.
The behavior is supposed to be exactly as specified in the manpages.
There is no reason to expect back-ldap and syncrepl to be exactly alike; they perform different functions.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/