JR Aquino wrote:
On 2/17/11 9:46 AM, "Jan Zeleny"<jzel...@redhat.com>  wrote:

JR Aquino<jr.aqu...@citrix.com>  wrote:
Lets try now. Attached is the corrected patch.

There were several spots in ipa-client-install where the server could be
defined and it was getting missed.
I have omitted any change to ipa-client-install and instead just focused
on ipadiscovery.py

ipadiscovery.py now performs its own fetch of the CACert just to be
sure.

Regarding TLS vs LDAPS.

LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never
standardized in any formal specification. This usage has been deprecated
along with LDAPv2, which was officially retired in 2003.

LDAPS is still supported, but considered deprecated in favor of TLS as
defined in RFC2830.

On 2/17/11 2:01 AM, "Jan Zelený"<jzel...@redhat.com>  wrote:
JR Aquino<jr.aqu...@citrix.com>  wrote:
This patch addresses the need to utilize TLS when using the
ipa-client-install tool. It addresses ticket:
https://fedorahosted.org/freeipa/ticket/974

Nack, running ipa-client-install returned this error:

# ipa-client-install
Retrieving CA from None failed.
Command '/usr/bin/wget -O /etc/ipa/ca.crt
http://None/ipa/config/ca.crt'
returned non-zero exit status 4


One more question - shouldn't you use ldaps directly to connect to the
server?
Jan


Sorry, I have to Nack it again, the patch seems incoplete, since it is
only
adding some cacert fetching code to IPADiscovery.

Jan

Please ignore previous patches for #18. Attached is the replacement all
inclusive patch for this ticket.


Per Rob:
ipadiscovery should not attempt to create the /etc/ipa/ca.crt rather, it
should populate a tempdir with the temp cert for the initial discovery
bind.

Attached is the full patch to provide both TLS and the safer wget of the
ca.crt to a temporary directory created by tempfile.mkdtemp()

Please verify that ipa-client-install from a separate machine functions as
expected against a FreeIPA server who is set to "nsslapd-minssf: 56"



It looks ok except for the try/except around the tempfile. If it fails all heck is gonna break loose. We should raise a RuntimeError in that case.

rob

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to