[Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install
JR Aquino
JR.Aquino at citrix.com
Mon Feb 21 19:18:55 UTC 2011
On 2/21/11 10:46 AM, "Jan Zeleny" <jzeleny at redhat.com> wrote:
>Rob Crittenden <rcritten at redhat.com> wrote:
>> JR Aquino wrote:
>> > On 2/17/11 9:46 AM, "Jan Zeleny"<jzeleny at redhat.com> wrote:
>> >> JR Aquino<JR.Aquino at citrix.com> wrote:
>> >>> Lets try now. Attached is the corrected patch.
>> >>>
>> >>> There were several spots in ipa-client-install where the server
>>could
>> >>> be defined and it was getting missed.
>> >>> I have omitted any change to ipa-client-install and instead just
>> >>> focused on ipadiscovery.py
>> >>>
>> >>> ipadiscovery.py now performs its own fetch of the CACert just to be
>> >>> sure.
>> >>>
>> >>> Regarding TLS vs LDAPS.
>> >>>
>> >>> LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never
>> >>> standardized in any formal specification. This usage has been
>> >>> deprecated along with LDAPv2, which was officially retired in 2003.
>> >>>
>> >>> LDAPS is still supported, but considered deprecated in favor of TLS
>>as
>> >>> defined in RFC2830.
>> >>>
>> >>> On 2/17/11 2:01 AM, "Jan Zelený"<jzeleny at redhat.com> wrote:
>> >>>> JR Aquino<JR.Aquino at citrix.com> wrote:
>> >>>>> This patch addresses the need to utilize TLS when using the
>> >>>>> ipa-client-install tool. It addresses ticket:
>> >>>>> https://fedorahosted.org/freeipa/ticket/974
>> >>>>
>> >>>> Nack, running ipa-client-install returned this error:
>> >>>>
>> >>>> # ipa-client-install
>> >>>> Retrieving CA from None failed.
>> >>>> Command '/usr/bin/wget -O /etc/ipa/ca.crt
>> >>>
>> >>> http://None/ipa/config/ca.crt'
>> >>>
>> >>>> returned non-zero exit status 4
>> >>>>
>> >>>>
>> >>>> One more question - shouldn't you use ldaps directly to connect to
>>the
>> >>>> server?
>> >>>> Jan
>> >>
>> >> Sorry, I have to Nack it again, the patch seems incoplete, since it
>>is
>> >> only
>> >> adding some cacert fetching code to IPADiscovery.
>> >>
>> >> Jan
>> >
>> > Please ignore previous patches for #18. Attached is the replacement
>>all
>> > inclusive patch for this ticket.
>> >
>> >
>> > Per Rob:
>> > ipadiscovery should not attempt to create the /etc/ipa/ca.crt rather,
>>it
>> > should populate a tempdir with the temp cert for the initial discovery
>> > bind.
>> >
>> > Attached is the full patch to provide both TLS and the safer wget of
>>the
>> > ca.crt to a temporary directory created by tempfile.mkdtemp()
>> >
>> > Please verify that ipa-client-install from a separate machine
>>functions
>> > as expected against a FreeIPA server who is set to "nsslapd-minssf:
>>56"
>>
>> It looks ok except for the try/except around the tempfile. If it fails
>> all heck is gonna break loose. We should raise a RuntimeError in that
>>case.
>>
>> rob
>
>Agreed, I had moreless the same comment prepared.
Correction made, patch attached.
except OSError, e:
raise RuntimeError("Creating temporary directory failed: %s" %
str(e))
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jraquino-0018-Use-TLS-for-ipadiscovery-during-ipa-client.patch
Type: application/octet-stream
Size: 2108 bytes
Desc: freeipa-jraquino-0018-Use-TLS-for-ipadiscovery-during-ipa-client.patch
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110221/001db945/attachment.obj>
More information about the Freeipa-devel
mailing list