On Fri, Sep 25, 2009 at 06:33:57AM -0400, Stephen Gallagher wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/25/2009 06:16 AM, Sumit Bose wrote:
> Hi,
>
> this patch adds the config option ldap_tls_cacert and
> ldap_tls_cacertdir to specify the location of CA certificates. If they
> are not used in sssd.conf the system defaults as defined in
> /etc/openldap/ldap.conf will be used. I also extended the sssd-ldap
> man page.
>
> This patch should fix #201 and #202.
>
> bye,
> Sumit
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> sssd-devel mailing list
> sssd-devel(a)lists.fedorahosted.org
>
https://fedorahosted.org/mailman/listinfo/sssd-devel
You may want to specify in the manpage that unencrypted channels are
supported if they're using LDAP only as an id_provider. I don't want to
give anyone the impression that they MUST use LDAP encryption even if
they're using kerberos for auth.
The default for ldap_tls_cacert and ldap_tls_cacertdir should specify
that they use the OpenLDAP client defaults on the system if they are
available. "System defaults" is ambiguous (especially on a system that
uses only mozldap). Hopefully in a few more Fedora revisions we will
have a common certificate store, but until that happens we probably need
to be more explicit here.
The only issue I have with the code is with the trailing comma in struct
sdap_gen_opts default_basic_opts[]
- --
Stephen Gallagher
RHCE 804006346421761
Hi,
here is a new version with all three points addressed.
bye,
Sumit