[Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install
JR Aquino
JR.Aquino at citrix.com
Fri Feb 18 00:14:58 UTC 2011
On 2/17/11 9:46 AM, "Jan Zeleny" <jzeleny at redhat.com> wrote:
>JR Aquino <JR.Aquino at citrix.com> wrote:
>> Lets try now. Attached is the corrected patch.
>>
>> There were several spots in ipa-client-install where the server could be
>> defined and it was getting missed.
>> I have omitted any change to ipa-client-install and instead just focused
>> on ipadiscovery.py
>>
>> ipadiscovery.py now performs its own fetch of the CACert just to be
>>sure.
>>
>> Regarding TLS vs LDAPS.
>>
>> LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never
>> standardized in any formal specification. This usage has been deprecated
>> along with LDAPv2, which was officially retired in 2003.
>>
>> LDAPS is still supported, but considered deprecated in favor of TLS as
>> defined in RFC2830.
>>
>> On 2/17/11 2:01 AM, "Jan Zelený" <jzeleny at redhat.com> wrote:
>> >JR Aquino <JR.Aquino at citrix.com> wrote:
>> >> This patch addresses the need to utilize TLS when using the
>> >> ipa-client-install tool. It addresses ticket:
>> >> https://fedorahosted.org/freeipa/ticket/974
>> >
>> >Nack, running ipa-client-install returned this error:
>> >
>> ># ipa-client-install
>> >Retrieving CA from None failed.
>> >Command '/usr/bin/wget -O /etc/ipa/ca.crt
>>http://None/ipa/config/ca.crt'
>> >returned non-zero exit status 4
>> >
>> >
>> >One more question - shouldn't you use ldaps directly to connect to the
>> >server?
>> >Jan
>
>
>Sorry, I have to Nack it again, the patch seems incoplete, since it is
>only
>adding some cacert fetching code to IPADiscovery.
>
>Jan
Please ignore previous patches for #18. Attached is the replacement all
inclusive patch for this ticket.
Per Rob:
ipadiscovery should not attempt to create the /etc/ipa/ca.crt rather, it
should populate a tempdir with the temp cert for the initial discovery
bind.
Attached is the full patch to provide both TLS and the safer wget of the
ca.crt to a temporary directory created by tempfile.mkdtemp()
Please verify that ipa-client-install from a separate machine functions as
expected against a FreeIPA server who is set to "nsslapd-minssf: 56"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jraquino-0018-Use-TLS-for-ipadiscovery-during-ipa-client-install.patch
Type: application/octet-stream
Size: 2031 bytes
Desc: freeipa-jraquino-0018-Use-TLS-for-ipadiscovery-during-ipa-client-install.patch
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110218/563b8cec/attachment.obj>
More information about the Freeipa-devel
mailing list