ITS#9054, #9318 document new TLS options in slapd

diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
index 3a621b35cbadc942e9925a1346bd54f8b7fc67b3..184fa17d0a741c3d7149e9cc95b7567a83768ee1 100644 (file)
--- a/doc/man/man5/slapd-config.5
+++ b/doc/man/man5/slapd-config.5
@@ -1785,7 +1785,9 @@ FALSE, meaning the contextCSN is stored in the context entry.
 .B [tls_cacert=<file>]
 .B [tls_cacertdir=<path>]
 .B [tls_reqcert=never|allow|try|demand]
+.B [tls_reqsan=never|allow|try|demand]
 .B [tls_cipher_suite=<ciphers>]
+.B [tls_ecname=<names>]
 .B [tls_crlcheck=none|peer|all]
 .B [tls_protocol_min=<major>[.<minor>]]
 .B [suffixmassage=<real DN>]
@@ -1951,7 +1953,9 @@ to establish a TLS session before Binding to the provider. If the
 argument is supplied, the session will be aborted if the StartTLS request
 fails. Otherwise the syncrepl session continues without TLS. The
 .B tls_reqcert
-setting defaults to "demand" and the other TLS settings default to the same
+setting defaults to "demand", the
+.B tls_reqsan
+setting defaults to "allow", and the other TLS settings default to the same
 as the main slapd TLS settings.
 
 The

diff --git a/doc/man/man5/slapd-ldap.5 b/doc/man/man5/slapd-ldap.5
index 410db8c6042f195800617d6b0773d567948eca62..9d75029f96fa3149e5154ee7fb93c00c5e04b220 100644 (file)
--- a/doc/man/man5/slapd-ldap.5
+++ b/doc/man/man5/slapd-ldap.5
@@ -113,7 +113,9 @@ needs to be created.
 .B [tls_cacert=<file>]
 .B [tls_cacertdir=<path>]
 .B [tls_reqcert=never|allow|try|demand]
+.B [tls_reqsan=never|allow|try|demand]
 .B [tls_cipher_suite=<ciphers>]
+.B [tls_ecname=<names>]
 .B [tls_protocol_min=<major>[.<minor>]]
 .B [tls_crlcheck=none|peer|all]
 .RS
@@ -152,7 +154,9 @@ and
 The TLS settings default to the same as the main slapd TLS settings,
 except for
 .B tls_reqcert
-which defaults to "demand".
+which defaults to "demand", and
+.B tls_reqsan
+which defaults to "allow".
 .RE
 
 .TP
@@ -227,7 +231,9 @@ case allows anonymous rather than denies.
 .B [tls_cacert=<file>]
 .B [tls_cacertdir=<path>]
 .B [tls_reqcert=never|allow|try|demand]
+.B [tls_reqsan=never|allow|try|demand]
 .B [tls_cipher_suite=<ciphers>]
+.B [tls_ecname=<names>]
 .B [tls_protocol_min=<version>]
 .B [tls_crlcheck=none|peer|all]
 .RS
@@ -378,7 +384,9 @@ is recommended.
 The TLS settings default to the same as the main slapd TLS settings,
 except for
 .B tls_reqcert
-which defaults to "demand".
+which defaults to "demand", and
+.B tls_reqsan
+which defaults to "allow".
 
 The identity associated to this directive is also used for privileged
 operations whenever \fBidassert\-bind\fP is defined and \fBacl\-bind\fP
@@ -584,7 +592,9 @@ is used.
 .B [tls_cacert=<file>]
 .B [tls_cacertdir=<path>]
 .B [tls_reqcert=never|allow|try|demand]
+.B [tls_reqsan=never|allow|try|demand]
 .B [tls_cipher_suite=<ciphers>]
+.B [tls_ecname=<names>]
 .B [tls_crlcheck=none|peer|all]
 .RS
 Specify TLS settings for regular connections.
@@ -600,7 +610,9 @@ if the StartTLS operation failed; its use is \fBnot\fP recommended.
 The TLS settings default to the same as the main slapd TLS settings,
 except for
 .B tls_reqcert
-which defaults to "demand" and
+which defaults to "demand",
+.B tls_reqsan
+which defaults to "allow", and
 .B starttls
 which is overshadowed by the first keyword and thus ignored.
 .RE

diff --git a/doc/man/man5/slapd-meta.5 b/doc/man/man5/slapd-meta.5
index ae670c8950ff2f9fe2d9c5ff7cde49a6737e65c1..d9de69dfe7eafee51747c4f5f77d649b6b331fb9 100644 (file)
--- a/doc/man/man5/slapd-meta.5
+++ b/doc/man/man5/slapd-meta.5
@@ -361,7 +361,9 @@ for details on the syntax of this field.
 .B [tls_cacert=<file>]
 .B [tls_cacertdir=<path>]
 .B [tls_reqcert=never|allow|try|demand]
+.B [tls_reqsan=never|allow|try|demand]
 .B [tls_cipher_suite=<ciphers>]
+.B [tls_ecname=<ciphers>]
 .B [tls_protocol_min=<major>[.<minor>]]
 .B [tls_crlcheck=none|peer|all]
 .RS
@@ -511,7 +513,9 @@ is recommended.
 The TLS settings default to the same as the main slapd TLS settings,
 except for
 .B tls_reqcert
-which defaults to "demand".
+which defaults to "demand", and
+.B tls_reqsan
+which defaults to "allow"..
 
 The identity associated to this directive is also used for privileged
 operations whenever \fBidassert\-bind\fP is defined and \fBacl\-bind\fP

diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index 585cd2cb7661b5b41747eee65bf27c0a016fe3ea..38e6b2c24156997fa43ab7d6259616de167e808b 100644 (file)
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -1765,7 +1765,9 @@ the contextCSN is stored in the context entry.
 .B [tls_cacert=<file>]
 .B [tls_cacertdir=<path>]
 .B [tls_reqcert=never|allow|try|demand]
+.B [tls_reqsan=never|allow|try|demand]
 .B [tls_cipher_suite=<ciphers>]
+.B [tls_ecname=<names>]
 .B [tls_crlcheck=none|peer|all]
 .B [tls_protocol_min=<major>[.<minor>]]
 .B [suffixmassage=<real DN>]
@@ -1963,7 +1965,9 @@ to establish a TLS session before Binding to the provider. If the
 argument is supplied, the session will be aborted if the StartTLS request
 fails. Otherwise the syncrepl session continues without TLS. The
 .B tls_reqcert
-setting defaults to "demand" and the other TLS settings
+setting defaults to "demand", the
+.B tls_reqsan
+seting defaults to "allow", and the other TLS settings
 default to the same as the main slapd TLS settings.
 
 The