search

ltb-project / slapd-cli

OpenLDAP init script
http://ltb-project.org/wiki/documentation/openldap-initscript
GNU General Public License v3.0
10 stars 10 forks source link

add LDAPSEARCH_PARAMS option #54

Closed artlog closed 1 year ago

artlog commented 1 year ago

slapd-cli checksync connects in ldap but does not support startTLS (-Z) option that would require addtionaly to have a valid hostname matching certificate :

slapd-cli checksync uses following request to get contextCSN 

/usr/local/openldap/bin/ldapsearch -x -H ldap://localhost:389 -D uid=syncrepl,ou=accounts,ou=infrastructure,dc=example,dc=com -w ... -b dc=example,dc=com -o nettimeout=5 -s base contextCSN
ldap_bind: Confidentiality required (13)
additional info: confidentiality required

It would require to use -Z and a correct hostname matching certificate subjectAltNames ( that could be mapped to 127.0.0.1 in /etc/hosts ).

davidcoutadeur commented 1 year ago

Indeed, it could be nice to have a new parameter in slapd-cli.conf:

LDAPSEARCH_PARAMS=""

It could be empty by default, and if requiring starttls or other options (custom ldap.conf file for example), we could add them.

Note that checksync is not the only one to use LDAPSEARCH_BIN. There is also version action.

davidcoutadeur commented 1 year ago

Done in f940c1c