On 1/26/11 3:54 AM, "Stephen Gallagher" <sgall...@redhat.com> wrote:
>-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On 01/26/2011 05:51 AM, Sumit Bose wrote: >> On Tue, Jan 25, 2011 at 02:55:05PM -0500, Stephen Gallagher wrote: >> On 01/25/2011 11:17 AM, Sumit Bose wrote: >>>>> On Tue, Jan 25, 2011 at 11:09:09AM -0500, Stephen Gallagher wrote: >>>>> On 01/25/2011 10:59 AM, Jeff Schroeder wrote: >>>>>>>> Why don't you make sssd also complain on startup about this >>>>>>>>option? >>>>>>>> >>>>> >>>>> I'm trying not to be TOO obnoxious about it. I figured that not >>>>>having >>>>> it mentioned in the documentation and not visible to the SSSDConfig >>>>>API >>>>> would be sufficient. >>>>> >>>>> But if you feel strongly about it, it's not too hard to add. >>>>> >>>>> >>>>>> I would also support the idea of some kind of warning message to >>>>>>prevent >>>>>> that someone accidentally use the "debugging" configuration in >>>>>> production. But instead of a message at startup I would prefer a >>>>>>syslog >>>>>> message every time a password is sent unencrypted. >> >> >> New patch with annoying syslog message attached. >> >> >>> I have to admit this patch is working as expected, I can clearly see my >>> password on the wire. >> >>> ACK >> > > >Ok, so now that we know we have a patch to accomplish this... we have to >ask ourselves this question: are we willing to push this upstream, or >should we stick to the principles we've maintained up to this point? I feel strongly that we should NACK this patch. If an administrator wishes to troubleshoot ldaps traffic, there are ways to do so without compromising the FreeIPA Code: Wireshark can be made to sniff SSL traffic if the user has the SSL Cert http://wiki.wireshark.org/SSL _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
