From d5ed7c5027d02e7ec299eaa07aa4e7c4d882fc85 Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Fri, 28 Aug 2020 11:08:17 +0100 Subject: [PATCH] ITS#9054, #9318 document new TLS options in slapd --- doc/man/man5/slapd-asyncmeta.5 | 2 ++ doc/man/man5/slapd-config.5 | 6 +++++- doc/man/man5/slapd-ldap.5 | 18 +++++++++++++++--- doc/man/man5/slapd-meta.5 | 6 +++++- doc/man/man5/slapd.conf.5 | 6 +++++- 5 files changed, 32 insertions(+), 6 deletions(-) diff --git a/doc/man/man5/slapd-asyncmeta.5 b/doc/man/man5/slapd-asyncmeta.5 index bcc8f55fbc..736a3124b8 100644 --- a/doc/man/man5/slapd-asyncmeta.5 +++ b/doc/man/man5/slapd-asyncmeta.5 @@ -319,7 +319,9 @@ for details on the syntax of this field. .B [tls_cacert=] .B [tls_cacertdir=] .B [tls_reqcert=never|allow|try|demand] +.B [tls_reqsan=never|allow|try|demand] .B [tls_cipher_suite=] +.B [tls_ecname=] .B [tls_protocol_min=[.]] .B [tls_crlcheck=none|peer|all] Allows one to define the parameters of the authentication method that is diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 index 6eca909ebb..b55c8ef484 100644 --- a/doc/man/man5/slapd-config.5 +++ b/doc/man/man5/slapd-config.5 @@ -1771,7 +1771,9 @@ FALSE, meaning the contextCSN is stored in the context entry. .B [tls_cacert=] .B [tls_cacertdir=] .B [tls_reqcert=never|allow|try|demand] +.B [tls_reqsan=never|allow|try|demand] .B [tls_cipher_suite=] +.B [tls_ecname=] .B [tls_crlcheck=none|peer|all] .B [tls_protocol_min=[.]] .B [suffixmassage=] @@ -1938,7 +1940,9 @@ to establish a TLS session before Binding to the provider. If the argument is supplied, the session will be aborted if the StartTLS request fails. Otherwise the syncrepl session continues without TLS. The .B tls_reqcert -setting defaults to "demand" and the other TLS settings default to the same +setting defaults to "demand", the +.B tls_reqsan +setting defaults to "allow", and the other TLS settings default to the same as the main slapd TLS settings. The diff --git a/doc/man/man5/slapd-ldap.5 b/doc/man/man5/slapd-ldap.5 index 77683aaf21..67ab87bb4e 100644 --- a/doc/man/man5/slapd-ldap.5 +++ b/doc/man/man5/slapd-ldap.5 @@ -113,7 +113,9 @@ needs to be created. .B [tls_cacert=] .B [tls_cacertdir=] .B [tls_reqcert=never|allow|try|demand] +.B [tls_reqsan=never|allow|try|demand] .B [tls_cipher_suite=] +.B [tls_ecname=] .B [tls_protocol_min=[.]] .B [tls_crlcheck=none|peer|all] .RS @@ -148,7 +150,9 @@ which is \fIintrinsically unsafe and should be used with extreme care\fP. The TLS settings default to the same as the main slapd TLS settings, except for .B tls_reqcert -which defaults to "demand". +which defaults to "demand", and +.B tls_reqsan +which defaults to "allow". .RE .TP @@ -223,7 +227,9 @@ case allows anonymous rather than denies. .B [tls_cacert=] .B [tls_cacertdir=] .B [tls_reqcert=never|allow|try|demand] +.B [tls_reqsan=never|allow|try|demand] .B [tls_cipher_suite=] +.B [tls_ecname=] .B [tls_protocol_min=] .B [tls_crlcheck=none|peer|all] .RS @@ -383,7 +389,9 @@ after the bind for the same purpose. The TLS settings default to the same as the main slapd TLS settings, except for .B tls_reqcert -which defaults to "demand". +which defaults to "demand", and +.B tls_reqsan +which defaults to "allow". The identity associated to this directive is also used for privileged operations whenever \fBidassert\-bind\fP is defined and \fBacl\-bind\fP @@ -580,7 +588,9 @@ is used. .B [tls_cacert=] .B [tls_cacertdir=] .B [tls_reqcert=never|allow|try|demand] +.B [tls_reqsan=never|allow|try|demand] .B [tls_cipher_suite=] +.B [tls_ecname=] .B [tls_crlcheck=none|peer|all] .RS Specify TLS settings for regular connections. @@ -596,7 +606,9 @@ if the StartTLS operation failed; its use is \fBnot\fP recommended. The TLS settings default to the same as the main slapd TLS settings, except for .B tls_reqcert -which defaults to "demand" and +which defaults to "demand", +.B tls_reqsan +which defaults to "allow", and .B starttls which is overshadowed by the first keyword and thus ignored. .RE diff --git a/doc/man/man5/slapd-meta.5 b/doc/man/man5/slapd-meta.5 index 7ab664a7b1..4bdb977f05 100644 --- a/doc/man/man5/slapd-meta.5 +++ b/doc/man/man5/slapd-meta.5 @@ -379,7 +379,9 @@ for details on the syntax of this field. .B [tls_cacert=] .B [tls_cacertdir=] .B [tls_reqcert=never|allow|try|demand] +.B [tls_reqsan=never|allow|try|demand] .B [tls_cipher_suite=] +.B [tls_ecname=] .B [tls_protocol_min=[.]] .B [tls_crlcheck=none|peer|all] .RS @@ -538,7 +540,9 @@ is recommended. The TLS settings default to the same as the main slapd TLS settings, except for .B tls_reqcert -which defaults to "demand". +which defaults to "demand", and +.B tls_reqsan +which defaults to "allow".. The identity associated to this directive is also used for privileged operations whenever \fBidassert\-bind\fP is defined and \fBacl\-bind\fP diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index c0957dd454..2dd630c28e 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -1750,7 +1750,9 @@ the contextCSN is stored in the context entry. .B [tls_cacert=] .B [tls_cacertdir=] .B [tls_reqcert=never|allow|try|demand] +.B [tls_reqsan=never|allow|try|demand] .B [tls_cipher_suite=] +.B [tls_ecname=] .B [tls_crlcheck=none|peer|all] .B [tls_protocol_min=[.]] .B [suffixmassage=] @@ -1949,7 +1951,9 @@ to establish a TLS session before Binding to the provider. If the argument is supplied, the session will be aborted if the StartTLS request fails. Otherwise the syncrepl session continues without TLS. The .B tls_reqcert -setting defaults to "demand" and the other TLS settings +setting defaults to "demand", the +.B tls_reqsan +seting defaults to "allow", and the other TLS settings default to the same as the main slapd TLS settings. The -- 2.47.3