@@ -742,7 +742,14 @@ Parameters
Minimum *Security Strength Factor* to require from all incoming
connections. This applies for both remote and local connections.
**ldap_tls_ciphers** (string, optional ``NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL``)
**ldap_tls_ciphers** (string, optional ``NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA256:+SHA384:+SHA512:+AEAD:+AES-128-GCM:+AES-256-GCM:+CHACHA20-POLY1305:+CURVE-ALL``)
.. warning::
Under Debian Stretch, the DHE ciphers are not usable due to a bug
present in OpenLDAP 2.4.44. See
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1656979
for details.
TLS ciphers to enable on the LDAP server. This should be a GnuTLS-compatible
cipher specification that should also include what TLS protocol versions
should be used. Value should be compatible with OpenLDAP server option