From: Howard Chu Date: Thu, 18 Feb 2021 14:33:16 +0000 (+0000) Subject: ITS#8861 clarify tls keyword X-Git-Tag: OPENLDAP_REL_ENG_2_5_2BETA~4^2~18 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dfd8515e8e59f7c646097151a7e7d07b24ea6c06;p=thirdparty%2Fopenldap.git ITS#8861 clarify tls keyword --- diff --git a/doc/man/man5/slapd-asyncmeta.5 b/doc/man/man5/slapd-asyncmeta.5 index 0e2d393f18..60ca2ccf96 100644 --- a/doc/man/man5/slapd-asyncmeta.5 +++ b/doc/man/man5/slapd-asyncmeta.5 @@ -443,15 +443,43 @@ See for details. .TP -.B tls {[try\-]start|[try\-]propagate} -execute the StartTLS extended operation when the connection is initialized; -only works if the URI directive protocol scheme is not \fBldaps://\fP. +.B tls {none|[try\-]start|[try\-]propagate|ldaps} +B [starttls=no] +.B [tls_cert=] +.B [tls_key=] +.B [tls_cacert=] +.B [tls_cacertdir=] +.B [tls_reqcert=never|allow|try|demand] +.B [tls_reqsan=never|allow|try|demand] +.B [tls_cipher_suite=] +.B [tls_ecname=] +.B [tls_crlcheck=none|peer|all] +.RS +Specify TLS settings regular connections. + +If the first parameter is not "none" then this configures the TLS +settings to be used for regular connections. +The StartTLS extended operation will be used when establishing the +connection unless the URI directive protocol scheme is \fBldaps://\fP. +In that case this keyword may only be set to "ldaps" and the StartTLS +operation will not be used. + \fBpropagate\fP issues the StartTLS operation only if the original connection did. The \fBtry\-\fP prefix instructs the proxy to continue operations if the StartTLS operation failed; its use is highly deprecated. +The TLS settings default to the same as the main slapd TLS settings, +except for +.B tls_reqcert +which defaults to "demand", +.B tls_reqsan +which defaults to "allow", and +.B starttls +which is overshadowed by the first keyword and thus ignored. + If set before any target specification, it affects all targets, unless overridden by any per-target directive. +.RE .SH SCENARIOS See diff --git a/doc/man/man5/slapd-ldap.5 b/doc/man/man5/slapd-ldap.5 index dcb119c8eb..d4c6435140 100644 --- a/doc/man/man5/slapd-ldap.5 +++ b/doc/man/man5/slapd-ldap.5 @@ -595,8 +595,12 @@ is used. .RS Specify TLS settings for regular connections. -The first parameter only applies to \fBldap://\fP connections and so -at the moment, \fBnone\fP and \fBldaps\fP are equivalent. +If the first parameter is not "none" then this configures the TLS +settings to be used for regular connections. +The StartTLS extended operation will be used when establishing the +connection unless the URI directive protocol scheme is \fBldaps://\fP. +In that case this keyword may only be set to "ldaps" and the StartTLS +operation will not be used. With \fBpropagate\fP, the proxy issues StartTLS operation only if the original connection has a TLS layer set up. diff --git a/doc/man/man5/slapd-meta.5 b/doc/man/man5/slapd-meta.5 index 9ed70fbc4b..2e16ae9468 100644 --- a/doc/man/man5/slapd-meta.5 +++ b/doc/man/man5/slapd-meta.5 @@ -722,15 +722,43 @@ In case the timeout is exceeded during a bind operation, the connection is destroyed, according to RFC4511. .TP -.B tls {[try\-]start|[try\-]propagate} -execute the StartTLS extended operation when the connection is initialized; -only works if the URI directive protocol scheme is not \fBldaps://\fP. +.B tls {none|[try\-]start|[try\-]propagate|ldaps} +.B [starttls=no] +.B [tls_cert=] +.B [tls_key=] +.B [tls_cacert=] +.B [tls_cacertdir=] +.B [tls_reqcert=never|allow|try|demand] +.B [tls_reqsan=never|allow|try|demand] +.B [tls_cipher_suite=] +.B [tls_ecname=] +.B [tls_crlcheck=none|peer|all] +.RS +Specify TLS settings regular connections. + +If the first parameter is not "none" then this configures the TLS +settings to be used for regular connections. +The StartTLS extended operation will be used when establishing the +connection unless the URI directive protocol scheme is \fBldaps://\fP. +In that case this keyword may only be set to "ldaps" and the StartTLS +operation will not be used. + \fBpropagate\fP issues the StartTLS operation only if the original connection did. The \fBtry\-\fP prefix instructs the proxy to continue operations if the StartTLS operation failed; its use is highly deprecated. +The TLS settings default to the same as the main slapd TLS settings, +except for +.B tls_reqcert +which defaults to "demand", +.B tls_reqsan +which defaults to "allow", and +.B starttls +which is overshadowed by the first keyword and thus ignored. + If set before any target specification, it affects all targets, unless overridden by any per-target directive. +.RE .SH SCENARIOS A powerful (and in some sense dangerous) rewrite engine has been added