[Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install
Jan Zeleny
jzeleny at redhat.com
Thu Feb 17 17:46:50 UTC 2011
JR Aquino <JR.Aquino at citrix.com> wrote:
> Lets try now. Attached is the corrected patch.
>
> There were several spots in ipa-client-install where the server could be
> defined and it was getting missed.
> I have omitted any change to ipa-client-install and instead just focused
> on ipadiscovery.py
>
> ipadiscovery.py now performs its own fetch of the CACert just to be sure.
>
> Regarding TLS vs LDAPS.
>
> LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never
> standardized in any formal specification. This usage has been deprecated
> along with LDAPv2, which was officially retired in 2003.
>
> LDAPS is still supported, but considered deprecated in favor of TLS as
> defined in RFC2830.
>
> On 2/17/11 2:01 AM, "Jan Zelený" <jzeleny at redhat.com> wrote:
> >JR Aquino <JR.Aquino at citrix.com> wrote:
> >> This patch addresses the need to utilize TLS when using the
> >> ipa-client-install tool. It addresses ticket:
> >> https://fedorahosted.org/freeipa/ticket/974
> >
> >Nack, running ipa-client-install returned this error:
> >
> ># ipa-client-install
> >Retrieving CA from None failed.
> >Command '/usr/bin/wget -O /etc/ipa/ca.crt http://None/ipa/config/ca.crt'
> >returned non-zero exit status 4
> >
> >
> >One more question - shouldn't you use ldaps directly to connect to the
> >server?
> >Jan
Sorry, I have to Nack it again, the patch seems incoplete, since it is only
adding some cacert fetching code to IPADiscovery.
Jan
More information about the Freeipa-devel
mailing list