On 07/11/2011 02:24 PM, Howard Chu wrote:
Thibault Le Meur wrote:
Le 11/07/2011 18:29, Rich Megginson a écrit :
I think what is happening is that the syncrepl crypto context is
"inheriting" from the main server crypto context.
Yes, this looks like this.
Yes, that's documented in slapd.conf(5).
What's documented where? I'm looking at the latest 2_4 branch
slapd.conf and slapd-config man pages at the syncrepl
directive/olcSyncrepl attribute - I don't see anything about how tls
settings will use the main context if a syncrepl specific setting is not
specified.
You want it to "inherit" the CA certificate from the main crypto
context but not the server certificate.
Not necessarily. When linked to openssl, openldap used to use the
/etc/openldap/ldap.conf file to read the client-side SSL configuration.
Please open an ITS for this. I'll have to figure out how this was
working in openssl.
Done: ITS#6994
Sounds to me like there's no bug here and the ITS report is invalid.
If you want separate TLS settings for syncrepl you must put them in
the syncrepl directive.
My goal for openldap with moznss support is that it will work exactly
like openldap with openssl worked - you should not even know (or care)
that a different crypto implementation is being used. Since this is not
the case with this particular issue, I consider it a bug in the moznss
crypto implementation of openldap.
