[Date Prev][Date Next] [Chronological] [Thread] [Top]

back-meta: dependency on ldap.conf

OpenLDAP 2.4.40, SLES x86_64.

This will seem crazy, but it looks to me that back-meta uses
/etc/openldap/ldap.conf for its TLS configuration instead of the
tls_options set explicitly within slapd.conf.

Within my meta configuration I have the following for idassert-bind:

idassert-bind   bindmethod=simple

None of the TLS options seem to have any effect here at all (I can put
nonsensical values to the tls options here and slapd doesn't complain at

Instead it's necessary to use /etc/openldap/ldap.conf for back-meta to
bind over SSL/TLS:

tls_cacert	/etc/ssl/certs/ca.pem
tls_cacertdir	/etc/ssl/certs

Any changes to ldap.conf get picked up by back-meta on a restart.

This can't be right, surely?

As an aside, I can't see why it's necessary to have to specify both
tls_cacert (pointing at the last CA in the chain) as well as
tls_cacertdir, but it is.

Liam Gretton                                    liam.gretton@le.ac.uk
Systems Specialist                           http://www.le.ac.uk/its/
IT Services                                   Tel: +44 (0)116 2522254
University Of Leicester, University Road
Leicestershire LE1 7RH, United Kingdom