Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
openldap
OpenLDAP
Compare Revisions
b48afc2e1bbd42ceb94686d9af01abe7ad843dd9...d0f3539ae5c8deddbda793cf73d9f521981e6d2b
Commits (6)
More for ITS
#8845
, skip cleanup on async op with extended operations
· 8d312196
Quanah Gibson-Mount
authored
Aug 26, 2020
8d312196
Last commit was for ITS
#8725
, not ITS
#8845
· baf5571d
Quanah Gibson-Mount
authored
Aug 26, 2020
baf5571d
ITS
#9054
fix typo
· 53676779
Howard Chu
authored
Aug 27, 2020
53676779
ITS
#9282
- Fix hard coded backend
· 49b1e8b1
Quanah Gibson-Mount
authored
Aug 27, 2020
49b1e8b1
ITS
#9054
,
#9318
document new TLS options in slapd
· d5ed7c50
Howard Chu
authored
Aug 28, 2020
d5ed7c50
Merge remote-tracking branch 'origin/master' into OPENLDAP_REL_ENG_2_5
· d0f3539a
Quanah Gibson-Mount
authored
Aug 28, 2020
d0f3539a
Hide whitespace changes
Inline
Side-by-side
doc/man/man5/slapd-asyncmeta.5
View file @
d0f3539a
...
...
@@ -319,7 +319,9 @@ for details on the syntax of this field.
.B [tls_cacert=<file>]
.B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand]
.B [tls_reqsan=never|allow|try|demand]
.B [tls_cipher_suite=<ciphers>]
.B [tls_ecname=<names>]
.B [tls_protocol_min=<major>[.<minor>]]
.B [tls_crlcheck=none|peer|all]
Allows one to define the parameters of the authentication method that is
...
...
doc/man/man5/slapd-config.5
View file @
d0f3539a
...
...
@@ -1771,7 +1771,9 @@ FALSE, meaning the contextCSN is stored in the context entry.
.B [tls_cacert=<file>]
.B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand]
.B [tls_reqsan=never|allow|try|demand]
.B [tls_cipher_suite=<ciphers>]
.B [tls_ecname=<names>]
.B [tls_crlcheck=none|peer|all]
.B [tls_protocol_min=<major>[.<minor>]]
.B [suffixmassage=<real DN>]
...
...
@@ -1938,7 +1940,9 @@ to establish a TLS session before Binding to the provider. If the
argument is supplied, the session will be aborted if the StartTLS request
fails. Otherwise the syncrepl session continues without TLS. The
.B tls_reqcert
setting defaults to "demand" and the other TLS settings default to the same
setting defaults to "demand", the
.B tls_reqsan
setting defaults to "allow", and the other TLS settings default to the same
as the main slapd TLS settings.
The
...
...
doc/man/man5/slapd-ldap.5
View file @
d0f3539a
...
...
@@ -113,7 +113,9 @@ needs to be created.
.B [tls_cacert=<file>]
.B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand]
.B [tls_reqsan=never|allow|try|demand]
.B [tls_cipher_suite=<ciphers>]
.B [tls_ecname=<names>]
.B [tls_protocol_min=<major>[.<minor>]]
.B [tls_crlcheck=none|peer|all]
.RS
...
...
@@ -148,7 +150,9 @@ which is \fIintrinsically unsafe and should be used with extreme care\fP.
The TLS settings default to the same as the main slapd TLS settings,
except for
.B tls_reqcert
which defaults to "demand".
which defaults to "demand", and
.B tls_reqsan
which defaults to "allow".
.RE
.TP
...
...
@@ -223,7 +227,9 @@ case allows anonymous rather than denies.
.B [tls_cacert=<file>]
.B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand]
.B [tls_reqsan=never|allow|try|demand]
.B [tls_cipher_suite=<ciphers>]
.B [tls_ecname=<names>]
.B [tls_protocol_min=<version>]
.B [tls_crlcheck=none|peer|all]
.RS
...
...
@@ -383,7 +389,9 @@ after the bind for the same purpose.
The TLS settings default to the same as the main slapd TLS settings,
except for
.B tls_reqcert
which defaults to "demand".
which defaults to "demand", and
.B tls_reqsan
which defaults to "allow".
The identity associated to this directive is also used for privileged
operations whenever \fBidassert\-bind\fP is defined and \fBacl\-bind\fP
...
...
@@ -580,7 +588,9 @@ is used.
.B [tls_cacert=<file>]
.B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand]
.B [tls_reqsan=never|allow|try|demand]
.B [tls_cipher_suite=<ciphers>]
.B [tls_ecname=<names>]
.B [tls_crlcheck=none|peer|all]
.RS
Specify TLS settings for regular connections.
...
...
@@ -596,7 +606,9 @@ if the StartTLS operation failed; its use is \fBnot\fP recommended.
The TLS settings default to the same as the main slapd TLS settings,
except for
.B tls_reqcert
which defaults to "demand" and
which defaults to "demand",
.B tls_reqsan
which defaults to "allow", and
.B starttls
which is overshadowed by the first keyword and thus ignored.
.RE
...
...
doc/man/man5/slapd-meta.5
View file @
d0f3539a
...
...
@@ -379,7 +379,9 @@ for details on the syntax of this field.
.B [tls_cacert=<file>]
.B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand]
.B [tls_reqsan=never|allow|try|demand]
.B [tls_cipher_suite=<ciphers>]
.B [tls_ecname=<ciphers>]
.B [tls_protocol_min=<major>[.<minor>]]
.B [tls_crlcheck=none|peer|all]
.RS
...
...
@@ -538,7 +540,9 @@ is recommended.
The TLS settings default to the same as the main slapd TLS settings,
except for
.B tls_reqcert
which defaults to "demand".
which defaults to "demand", and
.B tls_reqsan
which defaults to "allow"..
The identity associated to this directive is also used for privileged
operations whenever \fBidassert\-bind\fP is defined and \fBacl\-bind\fP
...
...
doc/man/man5/slapd.conf.5
View file @
d0f3539a
...
...
@@ -1750,7 +1750,9 @@ the contextCSN is stored in the context entry.
.B [tls_cacert=<file>]
.B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand]
.B [tls_reqsan=never|allow|try|demand]
.B [tls_cipher_suite=<ciphers>]
.B [tls_ecname=<names>]
.B [tls_crlcheck=none|peer|all]
.B [tls_protocol_min=<major>[.<minor>]]
.B [suffixmassage=<real DN>]
...
...
@@ -1949,7 +1951,9 @@ to establish a TLS session before Binding to the provider. If the
argument is supplied, the session will be aborted if the StartTLS request
fails. Otherwise the syncrepl session continues without TLS. The
.B tls_reqcert
setting defaults to "demand" and the other TLS settings
setting defaults to "demand", the
.B tls_reqsan
seting defaults to "allow", and the other TLS settings
default to the same as the main slapd TLS settings.
The
...
...
libraries/libldap/tls_o.c
View file @
d0f3539a
...
...
@@ -453,7 +453,7 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
"TLS: Elliptic Curves not supported.
\n
"
);
return
-
1
;
#else
if
(
SSL_CTX_set1_curves_list
(
ctx
,
lt
->
lt_ecname
))
{
if
(
!
SSL_CTX_set1_curves_list
(
ctx
,
lt
->
lt_ecname
))
{
Debug1
(
LDAP_DEBUG_ANY
,
"TLS: could not set EC name `%s'.
\n
"
,
lo
->
ldo_tls_ecname
);
...
...
servers/slapd/extended.c
View file @
d0f3539a
...
...
@@ -174,6 +174,11 @@ do_extended(
op
->
o_bd
=
frontendDB
;
rs
->
sr_err
=
frontendDB
->
be_extended
(
op
,
rs
);
if
(
rs
->
sr_err
==
SLAPD_ASYNCOP
){
/* skip cleanup */
return
rs
->
sr_err
;
}
/* clean up in case some overlay set them? */
if
(
!
BER_BVISNULL
(
&
op
->
o_req_ndn
)
)
{
if
(
!
BER_BVISNULL
(
&
op
->
o_req_dn
)
...
...
tests/data/regressions/its9282/config.ldif
View file @
d0f3539a
...
...
@@ -62,7 +62,7 @@ olcSyncrepl: {0}rid=001 provider=@URI@ type=refreshAndPersist retry="10 +"
dn="cn=manager,dc=example,dc=com" credentials=secret timeout=1
olcMultiProvider: TRUE
dn: olcOverlay={0}syncprov,olcDatabase={1}
mdb
,cn=config
dn: olcOverlay={0}syncprov,olcDatabase={1}
@BACKEND@
,cn=config
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpCheckpoint: 100 10
