https://bugs.openldap.org/show_bug.cgi?id=9711
Issue ID: 9711 Summary: olcTLSVerifyClient set incorrectly on conversion Product: OpenLDAP Version: 2.5.7 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: quanah@openldap.org Target Milestone: ---
When converting the following slapd.conf to cn=config via slaptest, the olcTLSVerifyClient parameter is set to "demand" instead of "never". The slapd.conf man page clearly states that "never" is supposed to be the default. This causes startTLS operations to fail from the client.
slapd.conf: include /opt/symas/etc/openldap/schema/core.schema pidfile /var/symas/run/slapd.pid argsfile /var/symas/run/slapd.args loglevel stats TLSCACertificateFile /opt/symas/ssl/CA/certs/testsuiteCA.crt TLSCertificateFile /opt/symas/ssl/certs/ub18.crt TLSCertificateKeyFile /opt/symas/ssl/private/ub18.key modulepath /opt/symas/lib/openldap moduleload back_mdb.la database config rootpw secret database mdb maxsize 1073741824 suffix "dc=my-domain,dc=com" rootdn "cn=Manager,dc=my-domain,dc=com" rootpw secret directory /var/symas/openldap-data index objectClass eq database monitor
With the above slapd.conf, the following ldapsearch command succeeds:
/opt/symas/bin/ldapsearch -x -ZZ -H ldap://ub18.quanah.org/^
However, after converting it to cn=config:
slaptest -f slapd.conf -F /opt/symas/etc/openldap/slapd.d
olcTLSVerifyClient has an incorrect value of "demand" instead of "never":
cn=config.ldif:olcTLSVerifyClient: demand