[Freeipa-devel] [PATCHES] Re: Changes to use a single database for dogtag and IPA

Thu Nov 22 17:12:18 UTC 2012

On 11/21/2012 02:43 PM, Simo Sorce wrote:
> On Wed, 2012-11-21 at 10:46 +0100, Martin Kosek wrote:
>> On 11/20/2012 02:59 PM, Petr Viktorin wrote:
[...]
>>
>> I just see that in patch 101 you touch setup_replication and force TLS as a
>> default. But in this case, r_sslport parameter is never used and we can remove it.
>>
>> In 101, you also set LDAP+TLS as default connection protocol with
>> +        super(CSReplicationManager, self).__init__(
>> +            realm, hostname, dirman_passwd, port, starttls=True)
>>                                                     ^^^^^^^^^^^^^
>>
>> Wouldn't we want to make LDAP+TLS as a default also in a bunch of
>> ReplicationManager initializations in ipa-replica-manage? Otherwise, we use
>> ldaps/SSL by default. AFAIU, LDAP+TLS is preferred over ldaps/SSL so this would
>> be a good step to do. Adding Rob and Simo to CC to correct me if I miss
>> anything and we want to keep using ldaps/SSL by default.
>
> In order of preference:
> LDAP/GSSAPI
> LDAP/TLS/
> LDAPS
>
> but using ldaps is not the end of the world, so don't tie yourself up
> due to this.
>
> Simo.
>

https://fedorahosted.org/freeipa/ticket/3272

-- 
Petr³