[Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install
Rob Crittenden
rcritten at redhat.com
Mon Feb 21 18:35:24 UTC 2011
JR Aquino wrote:
> On 2/17/11 9:46 AM, "Jan Zeleny"<jzeleny at redhat.com> wrote:
>
>> JR Aquino<JR.Aquino at citrix.com> wrote:
>>> Lets try now. Attached is the corrected patch.
>>>
>>> There were several spots in ipa-client-install where the server could be
>>> defined and it was getting missed.
>>> I have omitted any change to ipa-client-install and instead just focused
>>> on ipadiscovery.py
>>>
>>> ipadiscovery.py now performs its own fetch of the CACert just to be
>>> sure.
>>>
>>> Regarding TLS vs LDAPS.
>>>
>>> LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never
>>> standardized in any formal specification. This usage has been deprecated
>>> along with LDAPv2, which was officially retired in 2003.
>>>
>>> LDAPS is still supported, but considered deprecated in favor of TLS as
>>> defined in RFC2830.
>>>
>>> On 2/17/11 2:01 AM, "Jan Zelený"<jzeleny at redhat.com> wrote:
>>>> JR Aquino<JR.Aquino at citrix.com> wrote:
>>>>> This patch addresses the need to utilize TLS when using the
>>>>> ipa-client-install tool. It addresses ticket:
>>>>> https://fedorahosted.org/freeipa/ticket/974
>>>>
>>>> Nack, running ipa-client-install returned this error:
>>>>
>>>> # ipa-client-install
>>>> Retrieving CA from None failed.
>>>> Command '/usr/bin/wget -O /etc/ipa/ca.crt
>>> http://None/ipa/config/ca.crt'
>>>> returned non-zero exit status 4
>>>>
>>>>
>>>> One more question - shouldn't you use ldaps directly to connect to the
>>>> server?
>>>> Jan
>>
>>
>> Sorry, I have to Nack it again, the patch seems incoplete, since it is
>> only
>> adding some cacert fetching code to IPADiscovery.
>>
>> Jan
>
> Please ignore previous patches for #18. Attached is the replacement all
> inclusive patch for this ticket.
>
>
> Per Rob:
> ipadiscovery should not attempt to create the /etc/ipa/ca.crt rather, it
> should populate a tempdir with the temp cert for the initial discovery
> bind.
>
> Attached is the full patch to provide both TLS and the safer wget of the
> ca.crt to a temporary directory created by tempfile.mkdtemp()
>
> Please verify that ipa-client-install from a separate machine functions as
> expected against a FreeIPA server who is set to "nsslapd-minssf: 56"
>
>
It looks ok except for the try/except around the tempfile. If it fails
all heck is gonna break loose. We should raise a RuntimeError in that case.
rob
More information about the Freeipa-devel
mailing list