[Freeipa-users] Re: freeipa server + how to joining opensuse clients
Simo Sorce
ssorce at redhat.com
Wed Mar 25 01:17:54 UTC 2009
On Tue, 2009-03-24 at 14:26 -0400, Rob Crittenden wrote:
> > Hmm, after inspecting this a bit more I'm confused. The TLS client
> configuration section should IMHO mention that this is for PAM (and
> not for OpenLDAP tools and libraries which
> use /etc/openldap/ldap.conf). But the guide says:
> >
> > 1. Modify the following in the /etc/ldap.conf file:
> >
> > URI ldap://ipaserver.example.com
> > BASE dc=example,dc=com
> > HOST ipaserver.example.com
> > TLS_CACERTDIR /etc/cacerts/
> > TLS_REQCERT allow
> >
> > but these upper case options are described in ldap.conf(5) which is
> for OpenLDAP configuration
> file /etc/openldap/ldap.conf! /etc/ldap.conf configuration file syntax
> is described in nss_ldap(5) which uses lower case syntax and does not
> mention tls_reqcert (or TLS_REQCERT) at all but tls_checkpeer. Also,
> the above example does not say anything about actually using TLS, one
> would need "ssl start_tls" to use it, now to me it seems that the
> connections would be unencrypted (if the server accepts such
> connections - that is something I haven't checked).
> >
> > One minor additional detail is that HOST/URI provide duplicate
> information and URI/uri probably should be preferred and HOST/host
> could be dropped.
>
> Yes, there is a bit of a disconnect here. Simo, this is you area of
> expertise, do you have any comments?
I am not sure FDS at the moment supports start_tls, I think you have to
use the ssl port.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list