New subject: [Issue 9711] olcTLSVerifyClient set incorrectly on conversion

30 Sep 2021


      https://bugs.openldap.org/show_bug.cgi?id=9711
Issue ID: 9711
           Summary: olcTLSVerifyClient set incorrectly on conversion
           Product: OpenLDAP
           Version: 2.5.7
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Keywords: needs_review
          Severity: normal
          Priority: ---
         Component: slapd
          Assignee: bugs@openldap.org
          Reporter: quanah@openldap.org
  Target Milestone: ---
When converting the following slapd.conf to cn=config via slaptest, the
olcTLSVerifyClient parameter is set to "demand" instead of "never".  The
slapd.conf man page clearly states that "never" is supposed to be the default. 
This causes startTLS operations to fail from the client.
slapd.conf:
include         /opt/symas/etc/openldap/schema/core.schema
pidfile         /var/symas/run/slapd.pid
argsfile        /var/symas/run/slapd.args
loglevel stats
TLSCACertificateFile /opt/symas/ssl/CA/certs/testsuiteCA.crt
TLSCertificateFile /opt/symas/ssl/certs/ub18.crt
TLSCertificateKeyFile /opt/symas/ssl/private/ub18.key
modulepath      /opt/symas/lib/openldap
moduleload      back_mdb.la
database config
rootpw secret
database        mdb
maxsize         1073741824
suffix          "dc=my-domain,dc=com"
rootdn          "cn=Manager,dc=my-domain,dc=com"
rootpw          secret
directory       /var/symas/openldap-data
index   objectClass     eq
database monitor
With the above slapd.conf, the following ldapsearch command succeeds:
/opt/symas/bin/ldapsearch -x -ZZ -H ldap://ub18.quanah.org/^
However, after converting it to cn=config:
slaptest -f slapd.conf -F /opt/symas/etc/openldap/slapd.d
olcTLSVerifyClient has an incorrect value of "demand" instead of "never":
cn=config.ldif:olcTLSVerifyClient: demand
-- 
You are receiving this mail because:
You are on the CC list for the issue.

[Issue 9711] New: olcTLSVerifyClient set incorrectly on conversion