I'm using OpenLDAP 2.4.23-26 from Centos 6. I seem to be hitting a configuration issue regarding slapd-meta and SSL/TLS.

Here is my meta config:

database        meta
suffix          "dc=virtual,dc=local"
rootdn          "cn=root,dc=virtual,dc=local"
rootpw          password

# Local
uri             ldap://localhost/dc=ds1,dc=virtual,dc=local
suffixmassage   "dc=ds1,dc=virtual,dc=local" "dc=lab,dc=local"
idassert-bind   bindmethod=simple binddn="cn=root,dc=lab,dc=local" credentials=password

#Remote AD server
uri ldap://10.33.63.125:389/dc=ad1,dc=virtual,dc=local
tls start
suffixmassage "dc=ad1,dc=virtual,dc=local" "dc=mslab,dc=local"
idassert-bind bindmethod=simple binddn="CN=Sync,CN=Users,DC=lab,DC=local" credentials="Password1" starttls="yes" tls_reqcert="allow"

It seems as though  tls_reqcert="allow" is ignored for the remote AD server.  If set that variable in the ldap.conf everything works fine.  But shouldn't the above function as an override to the default of 'demand'?  The behaviour is the same when I change the above to use SSL instead.

Another thing I noticed was that adding tls_crlcheck="none" to my idassert-bind line causes slaptest to fail..not sure if this is related or not.

/etc/openldap/slapd.conf: line 68: "idassert-bind <args>": unable to parse field "tls_crlcheck=none".
slaptest: bad configuration file!

 I must be misunderstanding the docs.  Any help would be appreciated.