Quanah Gibson-Mount wrote: > --On Saturday, July 20, 2019 8:43 PM +0100 Howard Chu <h...@symas.com> wrote: > >> As documented in slapd-ldap(5) >> >>> The TLS settings default to the same as the main >>> slapd TLS settings, except for tls_reqcert which defaults >>> to "demand". >> >> If that no longer works, then we have yet another regression. > > I guess the underlying question is, if they aren't in slapd.conf, where do > slapd clients (syncrepl, back-ldap, etc) get them from? For example, > syncrepl is > clearly designed to get at least one setting from ldap.conf: > > > The network-timeout parameter sets how long the consumer will > wait to establish a network connection to the provider. Once a > connection is established, the timeout parameter determines how > long the consumer will wait for the initial Bind request to > complete. The defaults for these parameters come from > ldap.conf(5). > > So is it supposed to be that the configuration levels are: > > slapd client (syncrepl, back-ldap specific parameters) > override > slapd configuration (slapd.conf(5), slapd-config(5) parameters)
> Or is it supposed to be: > > slapd client (syncrepl, back-ldap specific parameters) > override > slapd configuration (slapd.conf(5), slapd-config(5) parameters) > override > ldap.conf(5) > > If it's the former, then syncrepl should not pull anything from ldap.conf. If > it's the latter, then we have a clear regression. The behavior is supposed to be exactly as specified in the manpages. There is no reason to expect back-ldap and syncrepl to be exactly alike; they perform different functions. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/