[Pkg-openldap-devel] Bug#613663: slapd: Upgrade Lenny -> Squeeze: failed to migrate tls_cacert
Ryan Tandy
ryan at nardis.ca
Mon Jul 14 16:24:59 UTC 2014
Hi Rainer,
on Tue, 22 Feb 2011 you wrote:
> <quote>
> Note that the main slapd TLS settings are not used by the syncrepl
> engine; by default the TLS parameters from a ldap.conf(5) configuration
> file will be used. TLS settings may be specified here, in which case any
> ldap.conf(5) settings will be completely ignored.
> </quote>
>
> The slapd in Debian Squeeze doesn't seem to honor this anymore.
I think this is actually a bug in the admin guide. In both lenny and
squeeze the slapd.conf man page says:
> The tls_reqcert setting defaults to "demand" and the other TLS
> settings default to the same as the main slapd TLS settings.
The behaviour and man page both changed between 2.3 and 2.4, but the
admin guide still documents the previous behaviour.
In lenny, slapd suffers from ITS#6419: setting "starttls=" in a
bindconf block does not trigger using the main slapd TLS settings, but
setting a tls_* parameter does. This was fixed in 2.4.20, so squeeze
and later. With lenny's slapd, if you set for example
"starttls=critical tls_reqcert=demand" then it does behave according
to the man page.
In conclusion, lenny was buggy, squeeze was fixed, and the admin guide
is still buggy. I will prod upstream about the latter; and as for
migrating the configuration I think it's much too late for that now,
so probably this can just be closed. Do you agree?
thanks for reading,
Ryan
More information about the Pkg-openldap-devel
mailing list