Make syncrepl inherit default TLS settings from main slapd config (except

for reqcert, default demand)

servers/slapd/bconfig.c

@@ -3094,22 +3094,9 @@ config_tls_option(ConfigArgs *c) {
 static int
 config_tls_config(ConfigArgs *c) {
 	int i, flag;
-	slap_verbmasks crlkeys[] = {
-		{ BER_BVC("none"),	LDAP_OPT_X_TLS_CRL_NONE },
-		{ BER_BVC("peer"),	LDAP_OPT_X_TLS_CRL_PEER },
-		{ BER_BVC("all"),	LDAP_OPT_X_TLS_CRL_ALL },
-		{ BER_BVNULL, 0 }
-	};
-	slap_verbmasks vfykeys[] = {
-		{ BER_BVC("never"),	LDAP_OPT_X_TLS_NEVER },
-		{ BER_BVC("demand"),	LDAP_OPT_X_TLS_DEMAND },
-		{ BER_BVC("try"),	LDAP_OPT_X_TLS_TRY },
-		{ BER_BVC("hard"),	LDAP_OPT_X_TLS_HARD },
-		{ BER_BVNULL, 0 }
-	}, *keys;
 	switch(c->type) {
-	case CFG_TLS_CRLCHECK:	flag = LDAP_OPT_X_TLS_CRLCHECK;		keys = crlkeys;	break;
-	case CFG_TLS_VERIFY:	flag = LDAP_OPT_X_TLS_REQUIRE_CERT;	keys = vfykeys;	break;
+	case CFG_TLS_CRLCHECK:	flag = LDAP_OPT_X_TLS_CRLCHECK; break;
+	case CFG_TLS_VERIFY:	flag = LDAP_OPT_X_TLS_REQUIRE_CERT; break;
 	default:
 		Debug(LDAP_DEBUG_ANY, "%s: "
 				"unknown tls_option <0x%x>\n",
@@ -3117,14 +3104,7 @@ config_tls_config(ConfigArgs *c) {
 		return 1;
 	}
 	if (c->op == SLAP_CONFIG_EMIT) {
-		ldap_pvt_tls_get_option( slap_tls_ld, flag, &c->value_int );
-		for (i=0; !BER_BVISNULL(&keys[i].word); i++) {
-			if (keys[i].mask == c->value_int) {
-				c->value_string = ch_strdup( keys[i].word.bv_val );
-				return 0;
-			}
-		}
-		return 1;
+		return slap_tls_get_config( slap_tls_ld, flag, &c->value_string );
 	} else if ( c->op == LDAP_MOD_DELETE ) {
 		int i = 0;
 		return ldap_pvt_tls_set_option( slap_tls_ld, flag, &i );

servers/slapd/config.c

@@ -998,6 +998,21 @@ static slap_verbmasks tlskey[] = {
 	{ BER_BVC("critical"),	SB_TLS_CRITICAL },
 	{ BER_BVNULL, 0 }
 };
+
+static slap_verbmasks crlkeys[] = {
+		{ BER_BVC("none"),	LDAP_OPT_X_TLS_CRL_NONE },
+		{ BER_BVC("peer"),	LDAP_OPT_X_TLS_CRL_PEER },
+		{ BER_BVC("all"),	LDAP_OPT_X_TLS_CRL_ALL },
+		{ BER_BVNULL, 0 }
+	};
+
+static slap_verbmasks vfykeys[] = {
+		{ BER_BVC("never"),	LDAP_OPT_X_TLS_NEVER },
+		{ BER_BVC("demand"),	LDAP_OPT_X_TLS_DEMAND },
+		{ BER_BVC("try"),	LDAP_OPT_X_TLS_TRY },
+		{ BER_BVC("hard"),	LDAP_OPT_X_TLS_HARD },
+		{ BER_BVNULL, 0 }
+	};
 #endif
 
 static slap_verbmasks methkey[] = {
@@ -1232,6 +1247,33 @@ slap_cf_aux_table_unparse( void *src, struct berval *bv, slap_cf_aux_table *tab0
 	return 0;
 }
 
+int
+slap_tls_get_config( LDAP *ld, int opt, char **val )
+{
+	slap_verbmasks *keys;
+	int i, ival;
+
+	*val = NULL;
+	switch( opt ) {
+	case LDAP_OPT_X_TLS_CRLCHECK:
+		keys = crlkeys;
+		break;
+	case LDAP_OPT_X_TLS_REQUIRE_CERT:
+		keys = vfykeys;
+		break;
+	default:
+		return -1;
+	}
+	ldap_pvt_tls_get_option( ld, opt, &ival );
+	for (i=0; !BER_BVISNULL(&keys[i].word); i++) {
+		if (keys[i].mask == ival) {
+			*val = ch_strdup( keys[i].word.bv_val );
+			return 0;
+		}
+	}
+	return -1;
+}
+
 int
 bindconf_parse( const char *word, slap_bindconf *bc )
 {
@@ -1324,6 +1366,37 @@ void bindconf_free( slap_bindconf *bc ) {
 #endif
 }
 
+void
+bindconf_tls_defaults( slap_bindconf *bc )
+{
+#ifdef HAVE_TLS
+	if ( bc->sb_tls_do_init ) {
+		if ( !bc->sb_tls_cacert )
+			ldap_pvt_tls_get_option( slap_tls_ld, LDAP_OPT_X_TLS_CACERTFILE,
+				&bc->sb_tls_cacert );
+		if ( !bc->sb_tls_cacertdir )
+			ldap_pvt_tls_get_option( slap_tls_ld, LDAP_OPT_X_TLS_CACERTDIR,
+				&bc->sb_tls_cacertdir );
+		if ( !bc->sb_tls_cert )
+			ldap_pvt_tls_get_option( slap_tls_ld, LDAP_OPT_X_TLS_CERTFILE,
+				&bc->sb_tls_cert );
+		if ( !bc->sb_tls_key )
+			ldap_pvt_tls_get_option( slap_tls_ld, LDAP_OPT_X_TLS_KEYFILE,
+				&bc->sb_tls_key );
+		if ( !bc->sb_tls_cipher_suite )
+			ldap_pvt_tls_get_option( slap_tls_ld, LDAP_OPT_X_TLS_CIPHER_SUITE,
+				&bc->sb_tls_cipher_suite );
+		if ( !bc->sb_tls_reqcert )
+			bc->sb_tls_reqcert = ch_strdup("demand");
+#ifdef HAVE_OPENSSL_CRL
+		if ( !bc->sb_tls_crlcheck )
+			slap_tls_get_config( slap_tls_ld, LDAP_OPT_X_TLS_CRLCHECK,
+				&bc->sb_tls_crlcheck );
+#endif
+	}
+#endif
+}
+
 #ifdef HAVE_TLS
 static struct {
 	const char *key;

servers/slapd/proto-slap.h

@@ -632,6 +632,9 @@ LDAP_SLAPD_F (int) slap_verbmasks_init LDAP_P(( slap_verbmasks **vp, slap_verbma
 LDAP_SLAPD_F (int) slap_verbmasks_destroy LDAP_P(( slap_verbmasks *v ));
 LDAP_SLAPD_F (int) slap_verbmasks_append LDAP_P(( slap_verbmasks **vp,
 	slap_mask_t m, struct berval *v, slap_mask_t *ignore ));
+LDAP_SLAPD_F (int) slap_tls_get_config LDAP_P((
+	LDAP *ld, int opt, char **val ));
+LDAP_SLAPD_F (void) bindconf_tls_defaults LDAP_P(( slap_bindconf *bc ));
 LDAP_SLAPD_F (int) bindconf_parse LDAP_P((
 	const char *word,  slap_bindconf *bc ));
 LDAP_SLAPD_F (int) bindconf_unparse LDAP_P((

servers/slapd/syncrepl.c

@@ -3248,6 +3248,11 @@ add_syncrepl(
 		if ( !si->si_re )
 			rc = -1;
 	}
+
+#ifdef HAVE_TLS
+	/* Use main slapd defaults */
+	bindconf_tls_defaults( &si->si_bindconf );
+#endif
 	if ( rc < 0 ) {
 		Debug( LDAP_DEBUG_ANY, "failed to add syncinfo\n", 0, 0, 0 );
 		syncinfo_free( si );