Rob Crittenden <rcrit...@redhat.com> wrote: > JR Aquino wrote: > > On 2/17/11 9:46 AM, "Jan Zeleny"<jzel...@redhat.com> wrote: > >> JR Aquino<jr.aqu...@citrix.com> wrote: > >>> Lets try now. Attached is the corrected patch. > >>> > >>> There were several spots in ipa-client-install where the server could > >>> be defined and it was getting missed. > >>> I have omitted any change to ipa-client-install and instead just > >>> focused on ipadiscovery.py > >>> > >>> ipadiscovery.py now performs its own fetch of the CACert just to be > >>> sure. > >>> > >>> Regarding TLS vs LDAPS. > >>> > >>> LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never > >>> standardized in any formal specification. This usage has been > >>> deprecated along with LDAPv2, which was officially retired in 2003. > >>> > >>> LDAPS is still supported, but considered deprecated in favor of TLS as > >>> defined in RFC2830. > >>> > >>> On 2/17/11 2:01 AM, "Jan Zelený"<jzel...@redhat.com> wrote: > >>>> JR Aquino<jr.aqu...@citrix.com> wrote: > >>>>> This patch addresses the need to utilize TLS when using the > >>>>> ipa-client-install tool. It addresses ticket: > >>>>> https://fedorahosted.org/freeipa/ticket/974 > >>>> > >>>> Nack, running ipa-client-install returned this error: > >>>> > >>>> # ipa-client-install > >>>> Retrieving CA from None failed. > >>>> Command '/usr/bin/wget -O /etc/ipa/ca.crt > >>> > >>> http://None/ipa/config/ca.crt' > >>> > >>>> returned non-zero exit status 4 > >>>> > >>>> > >>>> One more question - shouldn't you use ldaps directly to connect to the > >>>> server? > >>>> Jan > >> > >> Sorry, I have to Nack it again, the patch seems incoplete, since it is > >> only > >> adding some cacert fetching code to IPADiscovery. > >> > >> Jan > > > > Please ignore previous patches for #18. Attached is the replacement all > > inclusive patch for this ticket. > > > > > > Per Rob: > > ipadiscovery should not attempt to create the /etc/ipa/ca.crt rather, it > > should populate a tempdir with the temp cert for the initial discovery > > bind. > > > > Attached is the full patch to provide both TLS and the safer wget of the > > ca.crt to a temporary directory created by tempfile.mkdtemp() > > > > Please verify that ipa-client-install from a separate machine functions > > as expected against a FreeIPA server who is set to "nsslapd-minssf: 56" > > It looks ok except for the try/except around the tempfile. If it fails > all heck is gonna break loose. We should raise a RuntimeError in that case. > > rob
Agreed, I had moreless the same comment prepared. Jan _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel