[Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install
Jan Zeleny
jzeleny at redhat.com
Mon Feb 21 18:46:47 UTC 2011
Rob Crittenden <rcritten at redhat.com> wrote:
> JR Aquino wrote:
> > On 2/17/11 9:46 AM, "Jan Zeleny"<jzeleny at redhat.com> wrote:
> >> JR Aquino<JR.Aquino at citrix.com> wrote:
> >>> Lets try now. Attached is the corrected patch.
> >>>
> >>> There were several spots in ipa-client-install where the server could
> >>> be defined and it was getting missed.
> >>> I have omitted any change to ipa-client-install and instead just
> >>> focused on ipadiscovery.py
> >>>
> >>> ipadiscovery.py now performs its own fetch of the CACert just to be
> >>> sure.
> >>>
> >>> Regarding TLS vs LDAPS.
> >>>
> >>> LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never
> >>> standardized in any formal specification. This usage has been
> >>> deprecated along with LDAPv2, which was officially retired in 2003.
> >>>
> >>> LDAPS is still supported, but considered deprecated in favor of TLS as
> >>> defined in RFC2830.
> >>>
> >>> On 2/17/11 2:01 AM, "Jan Zelený"<jzeleny at redhat.com> wrote:
> >>>> JR Aquino<JR.Aquino at citrix.com> wrote:
> >>>>> This patch addresses the need to utilize TLS when using the
> >>>>> ipa-client-install tool. It addresses ticket:
> >>>>> https://fedorahosted.org/freeipa/ticket/974
> >>>>
> >>>> Nack, running ipa-client-install returned this error:
> >>>>
> >>>> # ipa-client-install
> >>>> Retrieving CA from None failed.
> >>>> Command '/usr/bin/wget -O /etc/ipa/ca.crt
> >>>
> >>> http://None/ipa/config/ca.crt'
> >>>
> >>>> returned non-zero exit status 4
> >>>>
> >>>>
> >>>> One more question - shouldn't you use ldaps directly to connect to the
> >>>> server?
> >>>> Jan
> >>
> >> Sorry, I have to Nack it again, the patch seems incoplete, since it is
> >> only
> >> adding some cacert fetching code to IPADiscovery.
> >>
> >> Jan
> >
> > Please ignore previous patches for #18. Attached is the replacement all
> > inclusive patch for this ticket.
> >
> >
> > Per Rob:
> > ipadiscovery should not attempt to create the /etc/ipa/ca.crt rather, it
> > should populate a tempdir with the temp cert for the initial discovery
> > bind.
> >
> > Attached is the full patch to provide both TLS and the safer wget of the
> > ca.crt to a temporary directory created by tempfile.mkdtemp()
> >
> > Please verify that ipa-client-install from a separate machine functions
> > as expected against a FreeIPA server who is set to "nsslapd-minssf: 56"
>
> It looks ok except for the try/except around the tempfile. If it fails
> all heck is gonna break loose. We should raise a RuntimeError in that case.
>
> rob
Agreed, I had moreless the same comment prepared.
Jan
More information about the Freeipa-devel
mailing list