Re: TLS/SSL possible startup bug in slapd

[Monty Charlton <monty@caldera.com>]

On Tue, Jan 23, 2001 at 11:07:20AM -0800, Kurt D. Zeilenga wrote:
> At 10:59 AM 1/23/01 -0700, Monty Charlton wrote:
> >When TLSCertificateKeyFile is defined in slapd.conf, and that file points to an encrypted key, I am prompted for a PEM password regardless of whether I am trying to start slapd with TLS/SSL support enabled (slapd -h "ldap:///"; or just plain slapd).  Is this intended?
> 
> Yes.  The key is needed for Start TLS.

I don't believe I made myself clear enough :-) .  Starting _with_ TLS support is not necessarily the problem.  The problem is that, if TLSCertificateKeyFile points to an encrypted key, I am _always_ prompted for a PEM password.  This is, of course, fine when starting with TLS.  But if I want to start _without_ TLS support, there seems to be no reason to have to enter that password.


> >After entering the password, it starts, just as it should, _without_ TLS/SSL support.
> 
> But with Start TLS support.

I guess the question here is, should users be allowed to toggle between TLS and non-TLS easily:

# slapd -h "ldap:/// ldaps:///"
Enter PEM pass phrase:
# killall slapd
# slapd -h "ldap:///";
          <-- There should not be a pw prompt here but there always is.
#



--
Monty Charlton
Caldera Systems, Inc.
http://www.caldera.com