Quanah Gibson-Mount wrote:
--On Sunday, July 21, 2019 3:37 PM +0100 Howard Chu hyc@symas.com wrote:
--On Sunday, July 21, 2019 2:51 AM +0100 Howard Chu hyc@symas.com wrote:
The behavior is supposed to be exactly as specified in the manpages.
A syncrepl consumer is an LDAP client. A back-ldap backend is an LDAP client.
Now you are providing conflicting answers. The man page for back-ldap makes zero reference to ldap.conf(5). It only mentions slapd.conf(5). The syncrepl section of slapd.conf(5)/slapd-config(5) only mention the network-timeout value being pulled in from ldap.conf(5). So which is it? Do they follow the man page behaviors (which would mean no ldap.conf(5) for slapd-ldap, and only network-timeout for syncrepl), or do they violate the man page description?
As I already said: there is no reason for the syncrepl consumer and back-ldap to behave identically. The manpages are correct in each case.
Generally, it seems to me we at the least have a documentation bug, in that back-ldap(5) and the syncrepl section of slapd.conf(5)/slapd-config(5) should note that they will rely on ldap.conf(5) in the absence of TLS (and possibly other paremters) if they are not found in slapd.conf(5).
Additionaly, what should we do about ITS#8427? It was clearly fixing a valid bug. Do we revert it? Do we fix the behavior so it fixes the bug reported, but does not introduce a regression?
It sounds like the behavior with OpenSSL is currently correct, and currently broken on GnuTLS.
And we need to know the answer to that and have a fix in rather quickly.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com