[Freeipa-devel] [PATCH] 924 use starttls in CSReplicationManager connection again
Simo Sorce
simo at redhat.com
Fri Oct 23 14:57:49 UTC 2015
On 23/10/15 08:39, Petr Vobornik wrote:
> not sure if the change in2606f5aecd6ac0db31abb515b691529bb7eaf14e was a
> mistake or done on purpose.
>
> Anyway:
> commit 2606f5aecd6ac0db31abb515b691529bb7eaf14e
>
> has:
> - realm, hostname, dirman_passwd, port, starttls=True)
> + realm, hostname, dirman_passwd, port)
>
> In CSReplicationManager
>
> which causes, e.g.:
>
> ipa-csreplica-manage -p Secret123 list ipa.example.com
> cannot connect to 'ldaps://ipa.example.com:389': TLS error
> -5938:Encountered end of file
>
> Attached patch reverts it.
I am not sure it was a mistake, we have changed replication from using
TLS to always use LDAP+GSSAPI, so why is ipa-csreplica-manage depending
on ldaps anyway ?
It may need to when dealing with very old domains where we have split
instances for CS and IPA, but not in anything modern. I would rather
change the command to cope with using LDAP+GSSAPI.
A simple revert may break something in replica promotion, would need to
be tested with a full master+replica install.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list