Quanah Gibson-Mount wrote:
--On Sunday, July 21, 2019 10:02 PM +0100 Howard Chu hyc@symas.com wrote:
As I already said: there is no reason for the syncrepl consumer and back-ldap to behave identically. The manpages are correct in each case.
I've never said they should behave identically, and I do not fathom why you are so focussed on something I never stated.
*You* stated:
"The behavior is supposed to be exactly as specified in the manpages."
The *man page* for back-ldap makes ZERO reference to ldap.conf. It makes ZERO reference to back-ldap being considered an "ldap client". If your statement that they should behave as specified in the man pages is true, then its behavior is incorrect, because PER THE MAN PAGE the TLS settings are either EXPLICIT in the back-ldap configuration OR they are taking from slapd's TLS settings. NOWHERE does it say that if there are no settings in back-ldap OR slapd that it will THEN take the settings from ldap.conf.
The *exact same* applies to syncrepl and its TLS settings.
You claimed it was inconsistent because syncrepl refers to ldap.conf for network timeout settings while back-ldap makes no reference to ldap.conf.
Clearly there is no requirement for syncrepl and back-ldap to behave identically here.
For the TLS settings, as already noted, libldap always reads ldap.conf unless you set the NOINIT env var. All of the slapd TLS settings are set in a TLS context that is retrieved from an LDAP* handle created specifically for this purpose. Naturally this handle inherits whatever defaults libldap picks up. Even so, you are expected to completely configure TLS settings in slapd's configuration, and not rely on any other defaults.
Feel free to add a note to slapd.conf(5) / slapd-config(5) about TLS defaults.