[Freeipa-devel] [PATCH] 769 enable SSL hostname checking
Rob Crittenden
rcritten at redhat.com
Fri May 20 14:10:09 UTC 2011
Martin Kosek wrote:
> On Thu, 2011-05-19 at 22:36 -0400, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On Mon, 2011-04-11 at 17:05 -0400, Rob Crittenden wrote:
>>>> Enable 389-ds SSL host checking by defauilt
>>>>
>>>> Enforce that the remote hostname matches the remote SSL server
>>>> certificate when 389-ds operates as an SSL client.
>>>>
>>>> Also add an update file to turn this off for existing installations.
>>>>
>>>> ticket 1069
>>>>
>>>> rob
>>>
>>> NACK. 10-config.update fails to upgrade existing installation:
>>>
>>> # ipa-ldap-updater --upgrade
>>> Upgrading IPA:
>>> [1/8]: stopping directory server
>>> [2/8]: saving configuration
>>> [3/8]: disabling listeners
>>> [4/8]: starting directory server
>>> [5/8]: upgrading server
>>> ERROR:root:Update failed: Server is unwilling to perform: Deleting attributes is not allowed
>>> [6/8]: stopping directory server
>>> [7/8]: restoring configuration
>>> [8/8]: starting directory server
>>> done configuring dirsrv.
>>>
>>> Martin
>>>
>>
>> Updated patch attached. I had to make the ldap updater do REPLACE
>> operations. I went ahead and made this code similar to the code in
>> ldap2.py for consistency.
>>
>> rob
>
> ACK. Both LDAP upgrade and a fresh installation work fine.
>
> Martin
>
pushed to master and ipa-2-0
More information about the Freeipa-devel
mailing list