https://bugs.openldap.org/show_bug.cgi?id=8861
--- Comment #5 from Howard Chu hyc@openldap.org --- (In reply to Quanah Gibson-Mount from comment #4)
(In reply to Howard Chu from comment #3)
Sounds more like the back-ldap manpage is wrong. The use of "ldaps" is implicit in the URI, so there's no point in supporting it here and it should be an error to allow it here. In particular it makes no sense to allow it here if it differs from the URI.
Ok, although that doesn't entirely answer the rest of my question (i.e., about tls_reqcert etc missing from back-meta).
Ironically I would note you're literally the person who added the "ldaps" option to back-ldap.
a6a8fb514b (Howard Chu 2007-01-08 23:36:24 +0000 511) { BER_BVC( "ldaps" ), LDAP_BACK_F_TLS_LDAPS },
The original text in that commit is more clear:
+Specify the use of TLS when a regular connection is initialized. The +StartTLS extended operation will be used unless the URI directive protocol +scheme is \fBldaps://\fP. In that case this keyword may only be +set to "ldaps" and the StartTLS operation will not be used.
So this setting is required to agree with the URI. The only reason this keyword is defined here is because slap_bindconf_unparse emits it for ldaps URIs and it would have taken extra work to omit it.
-
openldap-its@openldap.org