ITS#9054, #9318 document new TLS options in slapd

diff --git a/doc/man/man5/slapd-asyncmeta.5 b/doc/man/man5/slapd-asyncmeta.5
index bcc8f55fbc6e0334504232e7565d90669c37caa1..736a3124b897a4f3db0dda8785ecd8807df4df51 100644 (file)
--- a/doc/man/man5/slapd-asyncmeta.5
+++ b/doc/man/man5/slapd-asyncmeta.5
@@ -319,7 +319,9 @@ for details on the syntax of this field.
 .B [tls_cacert=<file>]
 .B [tls_cacertdir=<path>]
 .B [tls_reqcert=never|allow|try|demand]
+.B [tls_reqsan=never|allow|try|demand]
 .B [tls_cipher_suite=<ciphers>]
+.B [tls_ecname=<names>]
 .B [tls_protocol_min=<major>[.<minor>]]
 .B [tls_crlcheck=none|peer|all]
 Allows one to define the parameters of the authentication method that is

diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
index 6eca909ebb002f330c332061f41cb03406505fbc..b55c8ef4847448aa168c1c565c63f538384b8ffb 100644 (file)
--- a/doc/man/man5/slapd-config.5
+++ b/doc/man/man5/slapd-config.5
@@ -1771,7 +1771,9 @@ FALSE, meaning the contextCSN is stored in the context entry.
 .B [tls_cacert=<file>]
 .B [tls_cacertdir=<path>]
 .B [tls_reqcert=never|allow|try|demand]
+.B [tls_reqsan=never|allow|try|demand]
 .B [tls_cipher_suite=<ciphers>]
+.B [tls_ecname=<names>]
 .B [tls_crlcheck=none|peer|all]
 .B [tls_protocol_min=<major>[.<minor>]]
 .B [suffixmassage=<real DN>]
@@ -1938,7 +1940,9 @@ to establish a TLS session before Binding to the provider. If the
 argument is supplied, the session will be aborted if the StartTLS request
 fails. Otherwise the syncrepl session continues without TLS. The
 .B tls_reqcert
-setting defaults to "demand" and the other TLS settings default to the same
+setting defaults to "demand", the
+.B tls_reqsan
+setting defaults to "allow", and the other TLS settings default to the same
 as the main slapd TLS settings.
 
 The

diff --git a/doc/man/man5/slapd-ldap.5 b/doc/man/man5/slapd-ldap.5
index 77683aaf219e02a639c80b661573b3a557750fbb..67ab87bb4e3ac1ff8c02ea71e9e938e2fdc5ae69 100644 (file)
--- a/doc/man/man5/slapd-ldap.5
+++ b/doc/man/man5/slapd-ldap.5
@@ -113,7 +113,9 @@ needs to be created.
 .B [tls_cacert=<file>]
 .B [tls_cacertdir=<path>]
 .B [tls_reqcert=never|allow|try|demand]
+.B [tls_reqsan=never|allow|try|demand]
 .B [tls_cipher_suite=<ciphers>]
+.B [tls_ecname=<names>]
 .B [tls_protocol_min=<major>[.<minor>]]
 .B [tls_crlcheck=none|peer|all]
 .RS
@@ -148,7 +150,9 @@ which is \fIintrinsically unsafe and should be used with extreme care\fP.
 The TLS settings default to the same as the main slapd TLS settings,
 except for
 .B tls_reqcert
-which defaults to "demand".
+which defaults to "demand", and
+.B tls_reqsan
+which defaults to "allow".
 .RE
 
 .TP
@@ -223,7 +227,9 @@ case allows anonymous rather than denies.
 .B [tls_cacert=<file>]
 .B [tls_cacertdir=<path>]
 .B [tls_reqcert=never|allow|try|demand]
+.B [tls_reqsan=never|allow|try|demand]
 .B [tls_cipher_suite=<ciphers>]
+.B [tls_ecname=<names>]
 .B [tls_protocol_min=<version>]
 .B [tls_crlcheck=none|peer|all]
 .RS
@@ -383,7 +389,9 @@ after the bind for the same purpose.
 The TLS settings default to the same as the main slapd TLS settings,
 except for
 .B tls_reqcert
-which defaults to "demand".
+which defaults to "demand", and
+.B tls_reqsan
+which defaults to "allow".
 
 The identity associated to this directive is also used for privileged
 operations whenever \fBidassert\-bind\fP is defined and \fBacl\-bind\fP
@@ -580,7 +588,9 @@ is used.
 .B [tls_cacert=<file>]
 .B [tls_cacertdir=<path>]
 .B [tls_reqcert=never|allow|try|demand]
+.B [tls_reqsan=never|allow|try|demand]
 .B [tls_cipher_suite=<ciphers>]
+.B [tls_ecname=<names>]
 .B [tls_crlcheck=none|peer|all]
 .RS
 Specify TLS settings for regular connections.
@@ -596,7 +606,9 @@ if the StartTLS operation failed; its use is \fBnot\fP recommended.
 The TLS settings default to the same as the main slapd TLS settings,
 except for
 .B tls_reqcert
-which defaults to "demand" and
+which defaults to "demand",
+.B tls_reqsan
+which defaults to "allow", and
 .B starttls
 which is overshadowed by the first keyword and thus ignored.
 .RE

diff --git a/doc/man/man5/slapd-meta.5 b/doc/man/man5/slapd-meta.5
index 7ab664a7b1879939625c224eda45f3728a1b6060..4bdb977f05e687b958ff04acfa5d43f8cc7f8cfa 100644 (file)
--- a/doc/man/man5/slapd-meta.5
+++ b/doc/man/man5/slapd-meta.5
@@ -379,7 +379,9 @@ for details on the syntax of this field.
 .B [tls_cacert=<file>]
 .B [tls_cacertdir=<path>]
 .B [tls_reqcert=never|allow|try|demand]
+.B [tls_reqsan=never|allow|try|demand]
 .B [tls_cipher_suite=<ciphers>]
+.B [tls_ecname=<ciphers>]
 .B [tls_protocol_min=<major>[.<minor>]]
 .B [tls_crlcheck=none|peer|all]
 .RS
@@ -538,7 +540,9 @@ is recommended.
 The TLS settings default to the same as the main slapd TLS settings,
 except for
 .B tls_reqcert
-which defaults to "demand".
+which defaults to "demand", and
+.B tls_reqsan
+which defaults to "allow"..
 
 The identity associated to this directive is also used for privileged
 operations whenever \fBidassert\-bind\fP is defined and \fBacl\-bind\fP

diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index c0957dd45468e83200330cac7abb40f0b654a95a..2dd630c28ee93d962f3c704c615d14750251ac1e 100644 (file)
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -1750,7 +1750,9 @@ the contextCSN is stored in the context entry.
 .B [tls_cacert=<file>]
 .B [tls_cacertdir=<path>]
 .B [tls_reqcert=never|allow|try|demand]
+.B [tls_reqsan=never|allow|try|demand]
 .B [tls_cipher_suite=<ciphers>]
+.B [tls_ecname=<names>]
 .B [tls_crlcheck=none|peer|all]
 .B [tls_protocol_min=<major>[.<minor>]]
 .B [suffixmassage=<real DN>]
@@ -1949,7 +1951,9 @@ to establish a TLS session before Binding to the provider. If the
 argument is supplied, the session will be aborted if the StartTLS request
 fails. Otherwise the syncrepl session continues without TLS. The
 .B tls_reqcert
-setting defaults to "demand" and the other TLS settings
+setting defaults to "demand", the
+.B tls_reqsan
+seting defaults to "allow", and the other TLS settings
 default to the same as the main slapd TLS settings.
 
 The