On 7/21/19 4:32 AM, Quanah Gibson-Mount wrote:
You missed the point. It wasn't about syncrepl vs back-ldap, it was about whether or not *anything* used in slapd should ever pull in data from ldap.conf.
From my understanding up to now ldap.conf was used in back-ldap and people make use of it. Aside from whether this was a doc or implementation bug you should seriously consider whether it's worth the trouble to change back-ldap's behaviour within 2.4.x release series.
Personally I'm in the camp of explicitly specifying (possibly different) trust anchors for every aspect. Especially since we all should use a decent config management today it's really easy. So I'd like to propose a change for 2.5.x that nothing within slapd uses ldap.conf (LDAPNOINIT=1 for all of slapd's internal stuff).
Also I don't want to use system-wide trust stores by default without explicitly being configured. But that's another issue.
Ciao, Michael.