Yes - thanks!
\Greg
Pierangelo Masarati wrote:
Greg Martin wrote:
I'm running a non-production 2.3.27 slapd server on my home network. I had to transfer it to another machine so I copied the conf file & database files to the new machine. Before starting the service I edited the slapd.conf to comment out the TLS entries since I hadn't installed openssl & the cert yet.
<snip> On a lark, I took a look at ldap.conf which I had copied from my old server as well. It still had TLS_CACERT /etc/ssl/myca/cacert.pem TLS_REQCERT allow
Actually, there's been a little bit of confusion about this. ldap.conf(5) is indeed the client configuration file, which is read by default by the libldap client library. However, slapd contains a little bit of client functionality, for example what's used by syncrepl consumer to contact the provider, or the proxy backends back-ldap & back-meta (there might be more I'm not considering right now). The first time any libldap related function call is invoked, the library itself is initialized, and ldap.conf(5) is parsed. This is typically harmless, as none of the defaults in ldap.conf(5) is used, __except__ TLS. If this is not required, you can disable it by setting LDAPNOINIT in the environment. In HEAD (and 2.4) code, also client-related TLS can be specified in slapd.conf(5), so parsing of ldap.conf(5) could be entirely disabled (we'll need to consider that option, at least). Hope this clarifies.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team