Also on the topic of separate TLS contexts - currently the main slapd TLS context is only used for incoming connections. The syncrepl consumer and any other outbound connections use the TLS info in ldap.conf by default, not slapd.conf. Some folks have suggested that it makes more sense for the default to come from the main slapd settings instead. Any thoughts on that?
From a libldap perspective, I'd say respect system-wide ldap.conf and
treat the syncrepl consumer as an application-level override thereof. I don't think anybody on openldap-devel would have trouble with this.
However, I could see this getting messy to explain to newcomers on openldap-software and other end users of slapd(8), especially in the face of ugprades from "server-only" installations that never previously gave thought to ldap.conf. I think it might be happy medium to:
1. have overrides available in slapd.conf 2. one of the settings for the slapd.conf directives should be "use ldap.conf" which should be the default, however, 3. in the absence of (1) or (2), print something along the lines of "warning, no TLS configuration specified, using /foo/bar/ldap.conf" (if it's even possible to query that path from libldap?)
That way, there's still the complete flexibility, and unknowing users get a hint as to where that previously-unused configuration file might be biting them.