Quanah Gibson-Mount wrote:
--On Saturday, July 20, 2019 8:43 PM +0100 Howard Chu hyc@symas.com wrote:
As documented in slapd-ldap(5)
The TLS settings default to the same as the main slapd TLS settings, except for tls_reqcert which defaults to "demand".
If that no longer works, then we have yet another regression.
I guess the underlying question is, if they aren't in slapd.conf, where do slapd clients (syncrepl, back-ldap, etc) get them from? For example, syncrepl is clearly designed to get at least one setting from ldap.conf:
The network-timeout parameter sets how long the consumer will wait to establish a network connection to the provider. Once a connection is established, the timeout parameter determines how long the consumer will wait for the initial Bind request to complete. The defaults for these parameters come from ldap.conf(5).
So is it supposed to be that the configuration levels are:
slapd client (syncrepl, back-ldap specific parameters) override slapd configuration (slapd.conf(5), slapd-config(5) parameters)
Or is it supposed to be:
slapd client (syncrepl, back-ldap specific parameters) override slapd configuration (slapd.conf(5), slapd-config(5) parameters) override ldap.conf(5)
If it's the former, then syncrepl should not pull anything from ldap.conf. If it's the latter, then we have a clear regression.
The behavior is supposed to be exactly as specified in the manpages.
There is no reason to expect back-ldap and syncrepl to be exactly alike; they perform different functions.