From 846a5832bbd71d080c56930084d10dcbd71d98d6 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Sat, 4 May 2002 00:07:12 +0000
Subject: [PATCH] Set tls_opt_require_cert to default to NEVER. libldap
 defaults to DEMAND due to client needs, we change it back here.

---
 servers/slapd/main.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/servers/slapd/main.c b/servers/slapd/main.c
index 62249eeaf2..b48f222450 100644
--- a/servers/slapd/main.c
+++ b/servers/slapd/main.c
@@ -381,6 +381,16 @@ int main( int argc, char **argv )
 		goto destroy;
 	}
 
+#ifdef HAVE_TLS
+	/* Library defaults to full certificate checking. This is correct when
+	 * a client is verifying a server because all servers should have a
+	 * valid cert. But few clients have valid certs, so we want our default
+	 * to be no checking. The config file can override this as usual.
+	 */
+	rc = 0;
+	(void) ldap_pvt_tls_set_option( NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &rc );
+#endif
+
 	if ( read_config( configfile ) != 0 ) {
 		rc = 1;
 		SERVICE_EXIT( ERROR_SERVICE_SPECIFIC_ERROR, 19 );
-- 
2.39.5