[Freeipa-users] Re: freeipa server + how to joining opensuse clients

Daniel Qarras dqarras at yahoo.com
Mon Mar 16 18:28:08 UTC 2009 

Hi!
 
> > Few quick questions about the actual content:
> > 
> > - I've been setting up KerberosV5 lately and
> > practically all guides have set these to false:
> > 
> >   dns_lookup_realm = true
> >   dns_lookup_kdc = true
> > 
> > Isn't those unneeded when the servers have been
> > already defined in krb5.conf?
> 
> Yes, as I understand it if you go to a realm/domain
> specified in the file these will not be used. Doesn't
> hurt to have them defined I suppose, I'm not sure what
> the defaults are. Do you think having these will cause
> confusion?

Ok, thanks for the clarification, I got the same impression from the man page. I think it's ok to leave them there, I'd suppose most people just copy and paste and those few interested in details (like me) will read the man page if in doubt :-)

>From the nit-picking department: one thing that perhaps could be spelled out is that in the "Installing IPA Client" section there is:

add the server's IP address to the client's /etc/resolv.conf file.

Could be:

add the server's IP address to the client's /etc/resolv.conf file, e.g.: nameserver 192.168.122.1 .

> > - TLS section lists
> > 
> >   TLS_REQCERT allow
> > 
> > Doesn't this mean that if TLS procedures fail a
> > non-TLS connection will be used instead? Perhaps it could be
> > mentioned that using "demand" would force TLS
> > usage (and in lack of it the termination)?
> 
> Not really. As I understand it if TLS is not available then
> it will fall back to non-TLS. If the TLS is available but
> fails because of a bad cert, no trust of the CA, etc. then
> the connection will fail.

Hmm, after inspecting this a bit more I'm confused. The TLS client configuration section should IMHO mention that this is for PAM (and not for OpenLDAP tools and libraries which use /etc/openldap/ldap.conf). But the guide says:

1. Modify the following in the /etc/ldap.conf file:

URI     ldap://ipaserver.example.com
BASE dc=example,dc=com
HOST ipaserver.example.com
TLS_CACERTDIR /etc/cacerts/
TLS_REQCERT allow

but these upper case options are described in ldap.conf(5) which is for OpenLDAP configuration file /etc/openldap/ldap.conf! /etc/ldap.conf configuration file syntax is described in nss_ldap(5) which uses lower case syntax and does not mention tls_reqcert (or TLS_REQCERT) at all but tls_checkpeer. Also, the above example does not say anything about actually using TLS, one would need "ssl start_tls" to use it, now to me it seems that the connections would be unencrypted (if the server accepts such connections - that is something I haven't checked).

One minor additional detail is that HOST/URI provide duplicate information and URI/uri probably should be preferred and HOST/host could be dropped.

Cheers!

More information about the Freeipa-users mailing list