Hi Rainer, on Tue, 22 Feb 2011 you wrote: > <quote> > Note that the main slapd TLS settings are not used by the syncrepl > engine; by default the TLS parameters from a ldap.conf(5) configuration > file will be used. TLS settings may be specified here, in which case any > ldap.conf(5) settings will be completely ignored. > </quote> > > The slapd in Debian Squeeze doesn't seem to honor this anymore.
I think this is actually a bug in the admin guide. In both lenny and squeeze the slapd.conf man page says: > The tls_reqcert setting defaults to "demand" and the other TLS > settings default to the same as the main slapd TLS settings. The behaviour and man page both changed between 2.3 and 2.4, but the admin guide still documents the previous behaviour. In lenny, slapd suffers from ITS#6419: setting "starttls=" in a bindconf block does not trigger using the main slapd TLS settings, but setting a tls_* parameter does. This was fixed in 2.4.20, so squeeze and later. With lenny's slapd, if you set for example "starttls=critical tls_reqcert=demand" then it does behave according to the man page. In conclusion, lenny was buggy, squeeze was fixed, and the admin guide is still buggy. I will prod upstream about the latter; and as for migrating the configuration I think it's much too late for that now, so probably this can just be closed. Do you agree? thanks for reading, Ryan -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

