-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/25/2009 06:16 AM, Sumit Bose wrote: > Hi, > > this patch adds the config option ldap_tls_cacert and > ldap_tls_cacertdir to specify the location of CA certificates. If they > are not used in sssd.conf the system defaults as defined in > /etc/openldap/ldap.conf will be used. I also extended the sssd-ldap > man page. > > This patch should fix #201 and #202. > > bye, > Sumit > > > ------------------------------------------------------------------------ > > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://fedorahosted.org/mailman/listinfo/sssd-devel
You may want to specify in the manpage that unencrypted channels are supported if they're using LDAP only as an id_provider. I don't want to give anyone the impression that they MUST use LDAP encryption even if they're using kerberos for auth. The default for ldap_tls_cacert and ldap_tls_cacertdir should specify that they use the OpenLDAP client defaults on the system if they are available. "System defaults" is ambiguous (especially on a system that uses only mozldap). Hopefully in a few more Fedora revisions we will have a common certificate store, but until that happens we probably need to be more explicit here. The only issue I have with the code is with the trailing comma in struct sdap_gen_opts default_basic_opts[] - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkq8nJAACgkQeiVVYja6o6PmsQCcCK/u/YMxJGXsO6IHHRkuYI0Z lq4AoJMbSeUbVk06YKf7UB/u0pEFsJCU =VspI -----END PGP SIGNATURE----- _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
