On 11/21/2012 02:43 PM, Simo Sorce wrote:
On Wed, 2012-11-21 at 10:46 +0100, Martin Kosek wrote:
On 11/20/2012 02:59 PM, Petr Viktorin wrote:
[...]


I just see that in patch 101 you touch setup_replication and force TLS as a
default. But in this case, r_sslport parameter is never used and we can remove 
it.

In 101, you also set LDAP+TLS as default connection protocol with
+        super(CSReplicationManager, self).__init__(
+            realm, hostname, dirman_passwd, port, starttls=True)
                                                    ^^^^^^^^^^^^^

Wouldn't we want to make LDAP+TLS as a default also in a bunch of
ReplicationManager initializations in ipa-replica-manage? Otherwise, we use
ldaps/SSL by default. AFAIU, LDAP+TLS is preferred over ldaps/SSL so this would
be a good step to do. Adding Rob and Simo to CC to correct me if I miss
anything and we want to keep using ldaps/SSL by default.

In order of preference:
LDAP/GSSAPI
LDAP/TLS/
LDAPS

but using ldaps is not the end of the world, so don't tie yourself up
due to this.

Simo.


https://fedorahosted.org/freeipa/ticket/3272

--
PetrĀ³

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to