JR Aquino wrote:
On 2/21/11 11:18 AM, "JR Aquino"<jr.aqu...@citrix.com> wrote:
On 2/21/11 10:46 AM, "Jan Zeleny"<jzel...@redhat.com> wrote:
Rob Crittenden<rcrit...@redhat.com> wrote:
JR Aquino wrote:
On 2/17/11 9:46 AM, "Jan Zeleny"<jzel...@redhat.com> wrote:
JR Aquino<jr.aqu...@citrix.com> wrote:
Lets try now. Attached is the corrected patch.
There were several spots in ipa-client-install where the server
could
be defined and it was getting missed.
I have omitted any change to ipa-client-install and instead just
focused on ipadiscovery.py
ipadiscovery.py now performs its own fetch of the CACert just to be
sure.
Regarding TLS vs LDAPS.
LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was
never
standardized in any formal specification. This usage has been
deprecated along with LDAPv2, which was officially retired in 2003.
LDAPS is still supported, but considered deprecated in favor of TLS
as
defined in RFC2830.
On 2/17/11 2:01 AM, "Jan Zelený"<jzel...@redhat.com> wrote:
JR Aquino<jr.aqu...@citrix.com> wrote:
This patch addresses the need to utilize TLS when using the
ipa-client-install tool. It addresses ticket:
https://fedorahosted.org/freeipa/ticket/974
Nack, running ipa-client-install returned this error:
# ipa-client-install
Retrieving CA from None failed.
Command '/usr/bin/wget -O /etc/ipa/ca.crt
http://None/ipa/config/ca.crt'
returned non-zero exit status 4
One more question - shouldn't you use ldaps directly to connect to
the
server?
Jan
Sorry, I have to Nack it again, the patch seems incoplete, since it
is
only
adding some cacert fetching code to IPADiscovery.
Jan
Please ignore previous patches for #18. Attached is the replacement
all
inclusive patch for this ticket.
Per Rob:
ipadiscovery should not attempt to create the /etc/ipa/ca.crt rather,
it
should populate a tempdir with the temp cert for the initial
discovery
bind.
Attached is the full patch to provide both TLS and the safer wget of
the
ca.crt to a temporary directory created by tempfile.mkdtemp()
Please verify that ipa-client-install from a separate machine
functions
as expected against a FreeIPA server who is set to "nsslapd-minssf:
56"
It looks ok except for the try/except around the tempfile. If it fails
all heck is gonna break loose. We should raise a RuntimeError in that
case.
rob
Agreed, I had moreless the same comment prepared.
Correction made, patch attached.
except OSError, e:
raise RuntimeError("Creating temporary directory failed: %s" %
str(e))
In the spirt of consistency, I have corrected a section further down where
sys.exit is called instead of raising the exception.
I have also broken out the removal of the temp files in a finally clause.
Please review, and confirm that it meets with your approval.
ack, pushed to master
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
