[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48

To: Quanah Gibson-Mount <quanah@symas.com>, openldap-devel@openldap.org
Subject: Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48
From: Howard Chu <hyc@symas.com>
Date: Sun, 21 Jul 2019 21:54:49 +0100
In-reply-to: <B0148B683FD220EE3A8CCA4C@[192.168.1.39]>
References: <CAJoHRijg72LHC5EQT0p=ppyykvd69ik-8Ons0fdd3e7fRp1R5Q@mail.gmail.com> <20190720114150.6lcvw2vqkt7wqkty@mistotebe.net> <CAJoHRiicDsYCh55WtS16VN0h0iPz7rh_oSfutih9caEja1+3Vg@mail.gmail.com> <7D4E63B6BD40CD3B388DAC82@[192.168.1.39]> <20190720183144.GB6508@kiwi.nardis.ca> <800783fa-0f03-66eb-0136-ebb7e871e09d@symas.com> <C001FB8C78DB1EF7FD9B5E1D@[192.168.1.39]> <dfbf878e-9220-d9ff-11c8-f45d27607fde@symas.com> <0C3796D3A54046CB8CFFC6A5@[192.168.1.39]> <f4b1b61a-ac76-ac8b-b6b1-bf82366456ee@symas.com> <8C2495FF8CAD7D17C02188C9@[192.168.1.39]> <8b1f77f1-2416-ad8e-a468-a4f92a10b72e@symas.com> <B0148B683FD220EE3A8CCA4C@[192.168.1.39]>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 SeaMonkey/2.53

Quanah Gibson-Mount wrote:
> --On Sunday, July 21, 2019 10:02 PM +0100 Howard Chu <hyc@symas.com> wrote:
> 
>> As I already said: there is no reason for the syncrepl consumer and
>> back-ldap to behave identically. The manpages are correct in each case.
> 
> I've never said they should behave identically, and I do not fathom why you are so focussed on something I never stated.
> 
> *You* stated:
> 
> "The behavior is supposed to be exactly as specified in the manpages."
> 
> The *man page* for back-ldap makes ZERO reference to ldap.conf.  It makes ZERO reference to back-ldap being considered an "ldap client".  If your statement that
> they should behave as specified in the man pages is true, then its behavior is incorrect, because PER THE MAN PAGE the TLS settings are either EXPLICIT in the
> back-ldap configuration OR they are taking from slapd's TLS settings.  NOWHERE does it say that if there are no settings in back-ldap OR slapd that it will THEN
> take the settings from ldap.conf.
> 
> The *exact same* applies to syncrepl and its TLS settings.

You claimed it was inconsistent because syncrepl refers to ldap.conf for network timeout settings while
back-ldap makes no reference to ldap.conf.

Clearly there is no requirement for syncrepl and back-ldap to behave identically here.

For the TLS settings, as already noted, libldap always reads ldap.conf unless you set the NOINIT
env var. All of the slapd TLS settings are set in a TLS context that is retrieved from an LDAP*
handle created specifically for this purpose. Naturally this handle inherits whatever defaults
libldap picks up. Even so, you are expected to completely configure TLS settings in slapd's
configuration, and not rely on any other defaults.

Feel free to add a note to slapd.conf(5) / slapd-config(5) about TLS defaults.

-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48
  - From: Quanah Gibson-Mount <quanah@symas.com>

References:
- back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48
  - From: Nikos Voutsinas <nvoutsin@gmail.com>
- Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48
  - From: Ondřej Kuzník <ondra@mistotebe.net>
- Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48
  - From: Nikos Voutsinas <nvoutsin@gmail.com>
- Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48
  - From: Ryan Tandy <ryan@nardis.ca>
- Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48
  - From: Howard Chu <hyc@symas.com>
- Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48
  - From: Howard Chu <hyc@symas.com>
- Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48
  - From: Howard Chu <hyc@symas.com>
- Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48
  - From: Howard Chu <hyc@symas.com>
- Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48
Next by Date: Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48
Index(es):
- Chronological
- Thread