Full_Name: Stephan Duehr Version: 2.4.16 OS: SLES 10 SP2 URL: Submission from: (NULL) (84.44.166.251)
I specified tls start below each target specification and did not find any STARTTLS in the targets log, running at loglevel 256.
man slapd-meta says: tls {[try-]start|[try-]propagate} execute the StartTLS extended operation when the connection is initialized; only works if the URI directive protocol scheme is not ldaps://. propagate issues the StartTLS operation only if the original connection did. The try- prefix instructs the proxy to continue operations if the StartTLS operation failed; its use is highly deprecated. If set before any target specification, it affects all targets, unless overridden by any per-target directive.
So it should work when set for a target.
I verified the behavior by removing start tls before any target specfication and setting it below each target, which resulted in not STARTTLS being sent again.