ITS#9054, #9318 document new TLS options in slapd

doc/man/man5/slapd-asyncmeta.5

@@ -319,7 +319,9 @@ for details on the syntax of this field.
 .B [tls_cacert=<file>]
 .B [tls_cacertdir=<path>]
 .B [tls_reqcert=never|allow|try|demand]
+.B [tls_reqsan=never|allow|try|demand]
 .B [tls_cipher_suite=<ciphers>]
+.B [tls_ecname=<names>]
 .B [tls_protocol_min=<major>[.<minor>]]
 .B [tls_crlcheck=none|peer|all]
 Allows one to define the parameters of the authentication method that is

doc/man/man5/slapd-config.5

@@ -1771,7 +1771,9 @@ FALSE, meaning the contextCSN is stored in the context entry.
 .B [tls_cacert=<file>]
 .B [tls_cacertdir=<path>]
 .B [tls_reqcert=never|allow|try|demand]
+.B [tls_reqsan=never|allow|try|demand]
 .B [tls_cipher_suite=<ciphers>]
+.B [tls_ecname=<names>]
 .B [tls_crlcheck=none|peer|all]
 .B [tls_protocol_min=<major>[.<minor>]]
 .B [suffixmassage=<real DN>]
@@ -1938,7 +1940,9 @@ to establish a TLS session before Binding to the provider. If the
 argument is supplied, the session will be aborted if the StartTLS request
 fails. Otherwise the syncrepl session continues without TLS. The
 .B tls_reqcert
-setting defaults to "demand" and the other TLS settings default to the same
+setting defaults to "demand", the
+.B tls_reqsan
+setting defaults to "allow", and the other TLS settings default to the same
 as the main slapd TLS settings.
 
 The

doc/man/man5/slapd-ldap.5

@@ -113,7 +113,9 @@ needs to be created.
 .B [tls_cacert=<file>]
 .B [tls_cacertdir=<path>]
 .B [tls_reqcert=never|allow|try|demand]
+.B [tls_reqsan=never|allow|try|demand]
 .B [tls_cipher_suite=<ciphers>]
+.B [tls_ecname=<names>]
 .B [tls_protocol_min=<major>[.<minor>]]
 .B [tls_crlcheck=none|peer|all]
 .RS
@@ -148,7 +150,9 @@ which is \fIintrinsically unsafe and should be used with extreme care\fP.
 The TLS settings default to the same as the main slapd TLS settings,
 except for
 .B tls_reqcert
-which defaults to "demand".
+which defaults to "demand", and
+.B tls_reqsan
+which defaults to "allow".
 .RE
 
 .TP
@@ -223,7 +227,9 @@ case allows anonymous rather than denies.
 .B [tls_cacert=<file>]
 .B [tls_cacertdir=<path>]
 .B [tls_reqcert=never|allow|try|demand]
+.B [tls_reqsan=never|allow|try|demand]
 .B [tls_cipher_suite=<ciphers>]
+.B [tls_ecname=<names>]
 .B [tls_protocol_min=<version>]
 .B [tls_crlcheck=none|peer|all]
 .RS
@@ -383,7 +389,9 @@ after the bind for the same purpose.
 The TLS settings default to the same as the main slapd TLS settings,
 except for
 .B tls_reqcert
-which defaults to "demand".
+which defaults to "demand", and
+.B tls_reqsan
+which defaults to "allow".
 
 The identity associated to this directive is also used for privileged
 operations whenever \fBidassert\-bind\fP is defined and \fBacl\-bind\fP
@@ -580,7 +588,9 @@ is used.
 .B [tls_cacert=<file>]
 .B [tls_cacertdir=<path>]
 .B [tls_reqcert=never|allow|try|demand]
+.B [tls_reqsan=never|allow|try|demand]
 .B [tls_cipher_suite=<ciphers>]
+.B [tls_ecname=<names>]
 .B [tls_crlcheck=none|peer|all]
 .RS
 Specify TLS settings for regular connections.
@@ -596,7 +606,9 @@ if the StartTLS operation failed; its use is \fBnot\fP recommended.
 The TLS settings default to the same as the main slapd TLS settings,
 except for
 .B tls_reqcert
-which defaults to "demand" and
+which defaults to "demand",
+.B tls_reqsan
+which defaults to "allow", and
 .B starttls
 which is overshadowed by the first keyword and thus ignored.
 .RE

doc/man/man5/slapd-meta.5

@@ -379,7 +379,9 @@ for details on the syntax of this field.
 .B [tls_cacert=<file>]
 .B [tls_cacertdir=<path>]
 .B [tls_reqcert=never|allow|try|demand]
+.B [tls_reqsan=never|allow|try|demand]
 .B [tls_cipher_suite=<ciphers>]
+.B [tls_ecname=<ciphers>]
 .B [tls_protocol_min=<major>[.<minor>]]
 .B [tls_crlcheck=none|peer|all]
 .RS
@@ -538,7 +540,9 @@ is recommended.
 The TLS settings default to the same as the main slapd TLS settings,
 except for
 .B tls_reqcert
-which defaults to "demand".
+which defaults to "demand", and
+.B tls_reqsan
+which defaults to "allow"..
 
 The identity associated to this directive is also used for privileged
 operations whenever \fBidassert\-bind\fP is defined and \fBacl\-bind\fP

doc/man/man5/slapd.conf.5

@@ -1750,7 +1750,9 @@ the contextCSN is stored in the context entry.
 .B [tls_cacert=<file>]
 .B [tls_cacertdir=<path>]
 .B [tls_reqcert=never|allow|try|demand]
+.B [tls_reqsan=never|allow|try|demand]
 .B [tls_cipher_suite=<ciphers>]
+.B [tls_ecname=<names>]
 .B [tls_crlcheck=none|peer|all]
 .B [tls_protocol_min=<major>[.<minor>]]
 .B [suffixmassage=<real DN>]
@@ -1949,7 +1951,9 @@ to establish a TLS session before Binding to the provider. If the
 argument is supplied, the session will be aborted if the StartTLS request
 fails. Otherwise the syncrepl session continues without TLS. The
 .B tls_reqcert
-setting defaults to "demand" and the other TLS settings
+setting defaults to "demand", the
+.B tls_reqsan
+seting defaults to "allow", and the other TLS settings
 default to the same as the main slapd TLS settings.
 
 The