Quanah Gibson-Mount wrote:
--On Wednesday, December 13, 2006 2:55 AM +0000 hyc@symas.com wrote:
Feel free to submit a patch. This may need to be two separate patches since there are several new TLS config keywords in RE24 vs RE23.
You might as well incorporate the ITS#4540 patch while you're at it.
I've made the following change to the 2.3 admin guide:
I'd probably put starttls a little lower on the list, but no big deal.
(OL) helpus2:/tmp/quanah/ldap-rel-eng-2-3/doc/guide/admin> cvs diff -u slapdconf2.sdf Index: slapdconf2.sdf =================================================================== RCS file: /repo/OpenLDAP/pkg/openldap-guide/admin/slapdconf2.sdf,v retrieving revision 1.1.2.10 diff -u -r1.1.2.10 slapdconf2.sdf --- slapdconf2.sdf 3 Jan 2006 22:16:03 -0000 1.1.2.10 +++ slapdconf2.sdf 15 Dec 2006 00:05:16 -0000 @@ -609,6 +609,7 @@
olcSyncrepl: rid=<replica ID> provider=ldap[s]://<hostname>[:port]+> [starttls=yes|critical]
[type=refreshOnly|refreshAndPersist] [interval=dd:hh:mm:ss] [retry=[<retry interval> <# of retries>]+]@@ -658,6 +659,11 @@ {{EX:replica}} directives define two independent replication mechanisms. They do not represent the replication peers of each other.
+The {{EX:starttls}} parameter specifies use of the StartTLS extended +operation to establish a TLS session before Binding to the provider. If the +critical argument is supplied, the session will be aborted if the StartTLS +request fails. Otherwise the syncrepl session continues without TLS.
The last two sentences are a little ambiguous to me. I would say
If the the StartTLS request fails and the {{EX:critical}} argument was used, the session will be aborted. Otherwise the syncrepl session continues without TLS.
The content of the syncrepl replica is defined using a search specification as its result set. The consumer slapd will send search requests to the provider slapd according to the search
If this is acceptable, I will commit it.
--Quanah
-
hyc@symas.com