upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-12-20 22:59:34 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

ITS#9054, #9318 document new TLS options in slapd

Browse source
This commit is contained in:
Howard Chu 2020-08-28 11:08:17 +01:00
parent 49b1e8b16f
commit d5ed7c5027
5 changed files with 32 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
doc/man/man5/slapd-asyncmeta.5
View file

@ -319,7 +319,9 @@ for details on the syntax of this field.
.B [tls_cacert=<file>] .B [tls_cacert=<file>]
.B [tls_cacertdir=<path>] .B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand] .B [tls_reqcert=never|allow|try|demand]
.B [tls_reqsan=never|allow|try|demand]
.B [tls_cipher_suite=<ciphers>] .B [tls_cipher_suite=<ciphers>]
.B [tls_ecname=<names>]
.B [tls_protocol_min=<major>[.<minor>]] .B [tls_protocol_min=<major>[.<minor>]]
.B [tls_crlcheck=none|peer|all] .B [tls_crlcheck=none|peer|all]
Allows one to define the parameters of the authentication method that is Allows one to define the parameters of the authentication method that is

6
doc/man/man5/slapd-config.5
View file

@ -1771,7 +1771,9 @@ FALSE, meaning the contextCSN is stored in the context entry.
.B [tls_cacert=<file>] .B [tls_cacert=<file>]
.B [tls_cacertdir=<path>] .B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand] .B [tls_reqcert=never|allow|try|demand]
.B [tls_reqsan=never|allow|try|demand]
.B [tls_cipher_suite=<ciphers>] .B [tls_cipher_suite=<ciphers>]
.B [tls_ecname=<names>]
.B [tls_crlcheck=none|peer|all] .B [tls_crlcheck=none|peer|all]
.B [tls_protocol_min=<major>[.<minor>]] .B [tls_protocol_min=<major>[.<minor>]]
.B [suffixmassage=<real DN>] .B [suffixmassage=<real DN>]
@ -1938,7 +1940,9 @@ to establish a TLS session before Binding to the provider. If the
argument is supplied, the session will be aborted if the StartTLS request argument is supplied, the session will be aborted if the StartTLS request
fails. Otherwise the syncrepl session continues without TLS. The fails. Otherwise the syncrepl session continues without TLS. The
.B tls_reqcert .B tls_reqcert
setting defaults to "demand" and the other TLS settings default to the same setting defaults to "demand", the
.B tls_reqsan
setting defaults to "allow", and the other TLS settings default to the same
as the main slapd TLS settings. as the main slapd TLS settings.
The The

18
doc/man/man5/slapd-ldap.5
View file

@ -113,7 +113,9 @@ needs to be created.
.B [tls_cacert=<file>] .B [tls_cacert=<file>]
.B [tls_cacertdir=<path>] .B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand] .B [tls_reqcert=never|allow|try|demand]
.B [tls_reqsan=never|allow|try|demand]
.B [tls_cipher_suite=<ciphers>] .B [tls_cipher_suite=<ciphers>]
.B [tls_ecname=<names>]
.B [tls_protocol_min=<major>[.<minor>]] .B [tls_protocol_min=<major>[.<minor>]]
.B [tls_crlcheck=none|peer|all] .B [tls_crlcheck=none|peer|all]
.RS .RS
@ -148,7 +150,9 @@ which is \fIintrinsically unsafe and should be used with extreme care\fP.
The TLS settings default to the same as the main slapd TLS settings, The TLS settings default to the same as the main slapd TLS settings,
except for except for
.B tls_reqcert .B tls_reqcert
which defaults to "demand". which defaults to "demand", and
.B tls_reqsan
which defaults to "allow".
.RE .RE
.TP .TP
@ -223,7 +227,9 @@ case allows anonymous rather than denies.
.B [tls_cacert=<file>] .B [tls_cacert=<file>]
.B [tls_cacertdir=<path>] .B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand] .B [tls_reqcert=never|allow|try|demand]
.B [tls_reqsan=never|allow|try|demand]
.B [tls_cipher_suite=<ciphers>] .B [tls_cipher_suite=<ciphers>]
.B [tls_ecname=<names>]
.B [tls_protocol_min=<version>] .B [tls_protocol_min=<version>]
.B [tls_crlcheck=none|peer|all] .B [tls_crlcheck=none|peer|all]
.RS .RS
@ -383,7 +389,9 @@ after the bind for the same purpose.
The TLS settings default to the same as the main slapd TLS settings, The TLS settings default to the same as the main slapd TLS settings,
except for except for
.B tls_reqcert .B tls_reqcert
which defaults to "demand". which defaults to "demand", and
.B tls_reqsan
which defaults to "allow".
The identity associated to this directive is also used for privileged The identity associated to this directive is also used for privileged
operations whenever \fBidassert\-bind\fP is defined and \fBacl\-bind\fP operations whenever \fBidassert\-bind\fP is defined and \fBacl\-bind\fP
@ -580,7 +588,9 @@ is used.
.B [tls_cacert=<file>] .B [tls_cacert=<file>]
.B [tls_cacertdir=<path>] .B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand] .B [tls_reqcert=never|allow|try|demand]
.B [tls_reqsan=never|allow|try|demand]
.B [tls_cipher_suite=<ciphers>] .B [tls_cipher_suite=<ciphers>]
.B [tls_ecname=<names>]
.B [tls_crlcheck=none|peer|all] .B [tls_crlcheck=none|peer|all]
.RS .RS
Specify TLS settings for regular connections. Specify TLS settings for regular connections.
@ -596,7 +606,9 @@ if the StartTLS operation failed; its use is \fBnot\fP recommended.
The TLS settings default to the same as the main slapd TLS settings, The TLS settings default to the same as the main slapd TLS settings,
except for except for
.B tls_reqcert .B tls_reqcert
which defaults to "demand" and which defaults to "demand",
.B tls_reqsan
which defaults to "allow", and
.B starttls .B starttls
which is overshadowed by the first keyword and thus ignored. which is overshadowed by the first keyword and thus ignored.
.RE .RE

6
doc/man/man5/slapd-meta.5
View file

@ -379,7 +379,9 @@ for details on the syntax of this field.
.B [tls_cacert=<file>] .B [tls_cacert=<file>]
.B [tls_cacertdir=<path>] .B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand] .B [tls_reqcert=never|allow|try|demand]
.B [tls_reqsan=never|allow|try|demand]
.B [tls_cipher_suite=<ciphers>] .B [tls_cipher_suite=<ciphers>]
.B [tls_ecname=<ciphers>]
.B [tls_protocol_min=<major>[.<minor>]] .B [tls_protocol_min=<major>[.<minor>]]
.B [tls_crlcheck=none|peer|all] .B [tls_crlcheck=none|peer|all]
.RS .RS
@ -538,7 +540,9 @@ is recommended.
The TLS settings default to the same as the main slapd TLS settings, The TLS settings default to the same as the main slapd TLS settings,
except for except for
.B tls_reqcert .B tls_reqcert
which defaults to "demand". which defaults to "demand", and
.B tls_reqsan
which defaults to "allow"..
The identity associated to this directive is also used for privileged The identity associated to this directive is also used for privileged
operations whenever \fBidassert\-bind\fP is defined and \fBacl\-bind\fP operations whenever \fBidassert\-bind\fP is defined and \fBacl\-bind\fP

6
doc/man/man5/slapd.conf.5
View file

@ -1750,7 +1750,9 @@ the contextCSN is stored in the context entry.
.B [tls_cacert=<file>] .B [tls_cacert=<file>]
.B [tls_cacertdir=<path>] .B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand] .B [tls_reqcert=never|allow|try|demand]
.B [tls_reqsan=never|allow|try|demand]
.B [tls_cipher_suite=<ciphers>] .B [tls_cipher_suite=<ciphers>]
.B [tls_ecname=<names>]
.B [tls_crlcheck=none|peer|all] .B [tls_crlcheck=none|peer|all]
.B [tls_protocol_min=<major>[.<minor>]] .B [tls_protocol_min=<major>[.<minor>]]
.B [suffixmassage=<real DN>] .B [suffixmassage=<real DN>]
@ -1949,7 +1951,9 @@ to establish a TLS session before Binding to the provider. If the
argument is supplied, the session will be aborted if the StartTLS request argument is supplied, the session will be aborted if the StartTLS request
fails. Otherwise the syncrepl session continues without TLS. The fails. Otherwise the syncrepl session continues without TLS. The
.B tls_reqcert .B tls_reqcert
setting defaults to "demand" and the other TLS settings setting defaults to "demand", the
.B tls_reqsan
seting defaults to "allow", and the other TLS settings
default to the same as the main slapd TLS settings. default to the same as the main slapd TLS settings.
The The