Re: [Freeipa-devel] [PATCH] 769 enable SSL hostname checking
On Thu, 2011-05-19 at 22:36 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Mon, 2011-04-11 at 17:05 -0400, Rob Crittenden wrote: Enable 389-ds SSL host checking by defauilt Enforce that the remote hostname matches the remote SSL server certificate when 389-ds operates as an SSL client. Also add an update file to turn this off for existing installations. ticket 1069 rob NACK. 10-config.update fails to upgrade existing installation: # ipa-ldap-updater --upgrade Upgrading IPA: [1/8]: stopping directory server [2/8]: saving configuration [3/8]: disabling listeners [4/8]: starting directory server [5/8]: upgrading server ERROR:root:Update failed: Server is unwilling to perform: Deleting attributes is not allowed [6/8]: stopping directory server [7/8]: restoring configuration [8/8]: starting directory server done configuring dirsrv. Martin Updated patch attached. I had to make the ldap updater do REPLACE operations. I went ahead and made this code similar to the code in ldap2.py for consistency. rob ACK. Both LDAP upgrade and a fresh installation work fine. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 769 enable SSL hostname checking
On Mon, 2011-04-11 at 17:05 -0400, Rob Crittenden wrote: Enable 389-ds SSL host checking by defauilt Enforce that the remote hostname matches the remote SSL server certificate when 389-ds operates as an SSL client. Also add an update file to turn this off for existing installations. ticket 1069 rob NACK. 10-config.update fails to upgrade existing installation: # ipa-ldap-updater --upgrade Upgrading IPA: [1/8]: stopping directory server [2/8]: saving configuration [3/8]: disabling listeners [4/8]: starting directory server [5/8]: upgrading server ERROR:root:Update failed: Server is unwilling to perform: Deleting attributes is not allowed [6/8]: stopping directory server [7/8]: restoring configuration [8/8]: starting directory server done configuring dirsrv. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 769 enable SSL hostname checking
Enable 389-ds SSL host checking by defauilt Enforce that the remote hostname matches the remote SSL server certificate when 389-ds operates as an SSL client. Also add an update file to turn this off for existing installations. ticket 1069 rob freeipa-rcrit-769-ssl.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel