Commit d5ed7c50 authored by Howard Chu's avatar Howard Chu
Browse files

ITS#9054, #9318 document new TLS options in slapd

parent 49b1e8b1
Pipeline #793 passed with stage
in 27 minutes and 20 seconds
......@@ -319,7 +319,9 @@ for details on the syntax of this field.
.B [tls_cacert=<file>]
.B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand]
.B [tls_reqsan=never|allow|try|demand]
.B [tls_cipher_suite=<ciphers>]
.B [tls_ecname=<names>]
.B [tls_protocol_min=<major>[.<minor>]]
.B [tls_crlcheck=none|peer|all]
Allows one to define the parameters of the authentication method that is
......
......@@ -1771,7 +1771,9 @@ FALSE, meaning the contextCSN is stored in the context entry.
.B [tls_cacert=<file>]
.B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand]
.B [tls_reqsan=never|allow|try|demand]
.B [tls_cipher_suite=<ciphers>]
.B [tls_ecname=<names>]
.B [tls_crlcheck=none|peer|all]
.B [tls_protocol_min=<major>[.<minor>]]
.B [suffixmassage=<real DN>]
......@@ -1938,7 +1940,9 @@ to establish a TLS session before Binding to the provider. If the
argument is supplied, the session will be aborted if the StartTLS request
fails. Otherwise the syncrepl session continues without TLS. The
.B tls_reqcert
setting defaults to "demand" and the other TLS settings default to the same
setting defaults to "demand", the
.B tls_reqsan
setting defaults to "allow", and the other TLS settings default to the same
as the main slapd TLS settings.
The
......
......@@ -113,7 +113,9 @@ needs to be created.
.B [tls_cacert=<file>]
.B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand]
.B [tls_reqsan=never|allow|try|demand]
.B [tls_cipher_suite=<ciphers>]
.B [tls_ecname=<names>]
.B [tls_protocol_min=<major>[.<minor>]]
.B [tls_crlcheck=none|peer|all]
.RS
......@@ -148,7 +150,9 @@ which is \fIintrinsically unsafe and should be used with extreme care\fP.
The TLS settings default to the same as the main slapd TLS settings,
except for
.B tls_reqcert
which defaults to "demand".
which defaults to "demand", and
.B tls_reqsan
which defaults to "allow".
.RE
.TP
......@@ -223,7 +227,9 @@ case allows anonymous rather than denies.
.B [tls_cacert=<file>]
.B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand]
.B [tls_reqsan=never|allow|try|demand]
.B [tls_cipher_suite=<ciphers>]
.B [tls_ecname=<names>]
.B [tls_protocol_min=<version>]
.B [tls_crlcheck=none|peer|all]
.RS
......@@ -383,7 +389,9 @@ after the bind for the same purpose.
The TLS settings default to the same as the main slapd TLS settings,
except for
.B tls_reqcert
which defaults to "demand".
which defaults to "demand", and
.B tls_reqsan
which defaults to "allow".
The identity associated to this directive is also used for privileged
operations whenever \fBidassert\-bind\fP is defined and \fBacl\-bind\fP
......@@ -580,7 +588,9 @@ is used.
.B [tls_cacert=<file>]
.B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand]
.B [tls_reqsan=never|allow|try|demand]
.B [tls_cipher_suite=<ciphers>]
.B [tls_ecname=<names>]
.B [tls_crlcheck=none|peer|all]
.RS
Specify TLS settings for regular connections.
......@@ -596,7 +606,9 @@ if the StartTLS operation failed; its use is \fBnot\fP recommended.
The TLS settings default to the same as the main slapd TLS settings,
except for
.B tls_reqcert
which defaults to "demand" and
which defaults to "demand",
.B tls_reqsan
which defaults to "allow", and
.B starttls
which is overshadowed by the first keyword and thus ignored.
.RE
......
......@@ -379,7 +379,9 @@ for details on the syntax of this field.
.B [tls_cacert=<file>]
.B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand]
.B [tls_reqsan=never|allow|try|demand]
.B [tls_cipher_suite=<ciphers>]
.B [tls_ecname=<ciphers>]
.B [tls_protocol_min=<major>[.<minor>]]
.B [tls_crlcheck=none|peer|all]
.RS
......@@ -538,7 +540,9 @@ is recommended.
The TLS settings default to the same as the main slapd TLS settings,
except for
.B tls_reqcert
which defaults to "demand".
which defaults to "demand", and
.B tls_reqsan
which defaults to "allow"..
The identity associated to this directive is also used for privileged
operations whenever \fBidassert\-bind\fP is defined and \fBacl\-bind\fP
......
......@@ -1750,7 +1750,9 @@ the contextCSN is stored in the context entry.
.B [tls_cacert=<file>]
.B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand]
.B [tls_reqsan=never|allow|try|demand]
.B [tls_cipher_suite=<ciphers>]
.B [tls_ecname=<names>]
.B [tls_crlcheck=none|peer|all]
.B [tls_protocol_min=<major>[.<minor>]]
.B [suffixmassage=<real DN>]
......@@ -1949,7 +1951,9 @@ to establish a TLS session before Binding to the provider. If the
argument is supplied, the session will be aborted if the StartTLS request
fails. Otherwise the syncrepl session continues without TLS. The
.B tls_reqcert
setting defaults to "demand" and the other TLS settings
setting defaults to "demand", the
.B tls_reqsan
seting defaults to "allow", and the other TLS settings
default to the same as the main slapd TLS settings.
The
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment