I'm using OpenLDAP 2.4.23-26 from Centos 6. I seem to be hitting a configuration issue regarding slapd-meta and SSL/TLS.
database
meta
suffix "dc=virtual,dc=local"
rootdn "cn=root,dc=virtual,dc=local"
rootpw password
# Local
uri
ldap://localhost/dc=ds1,dc=virtual,dc=local
suffixmassage "dc=ds1,dc=virtual,dc=local" "dc=lab,dc=local"
idassert-bind bindmethod=simple binddn="cn=root,dc=lab,dc=local" credentials=password
#Remote AD server
uri ldap://10.33.63.125:389/dc=ad1,dc=virtual,dc=local
tls start
suffixmassage "dc=ad1,dc=virtual,dc=local" "dc=mslab,dc=local"
idassert-bind bindmethod=simple binddn="CN=Sync,CN=Users,DC=lab,DC=local" credentials="Password1" starttls="yes" tls_reqcert="allow"
It seems as though tls_reqcert="allow" is ignored for the
remote AD server. If set that variable in the ldap.conf everything works fine. But shouldn't the above function as an override to the default of 'demand'? The behaviour is the same when I change the above to use SSL instead.
Another thing I noticed was that
adding tls_crlcheck="none" to my idassert-bind line causes slaptest to fail..not sure if this is related or not.
/etc/openldap/slapd.conf: line 68: "idassert-bind <args>": unable to parse field "tls_crlcheck=none".
slaptest: bad configuration file!
I must be misunderstanding the docs. Any help would be appreciated.