Re: [Freeipa-devel] [PATCH] 769 enable SSL hostname checking
Martin Kosek wrote: On Thu, 2011-05-19 at 22:36 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Mon, 2011-04-11 at 17:05 -0400, Rob Crittenden wrote: Enable 389-ds SSL host checking by defauilt Enforce that the remote hostname matches the remote SSL server certificate when 389-ds operates as an SSL client. Also add an update file to turn this off for existing installations. ticket 1069 rob NACK. 10-config.update fails to upgrade existing installation: # ipa-ldap-updater --upgrade Upgrading IPA: [1/8]: stopping directory server [2/8]: saving configuration [3/8]: disabling listeners [4/8]: starting directory server [5/8]: upgrading server ERROR:root:Update failed: Server is unwilling to perform: Deleting attributes is not allowed [6/8]: stopping directory server [7/8]: restoring configuration [8/8]: starting directory server done configuring dirsrv. Martin Updated patch attached. I had to make the ldap updater do REPLACE operations. I went ahead and made this code similar to the code in ldap2.py for consistency. rob ACK. Both LDAP upgrade and a fresh installation work fine. Martin pushed to master and ipa-2-0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 769 enable SSL hostname checking
On Thu, 2011-05-19 at 22:36 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Mon, 2011-04-11 at 17:05 -0400, Rob Crittenden wrote: > >> Enable 389-ds SSL host checking by defauilt > >> > >> Enforce that the remote hostname matches the remote SSL server > >> certificate when 389-ds operates as an SSL client. > >> > >> Also add an update file to turn this off for existing installations. > >> > >> ticket 1069 > >> > >> rob > > > > NACK. 10-config.update fails to upgrade existing installation: > > > > # ipa-ldap-updater --upgrade > > Upgrading IPA: > >[1/8]: stopping directory server > >[2/8]: saving configuration > >[3/8]: disabling listeners > >[4/8]: starting directory server > >[5/8]: upgrading server > > ERROR:root:Update failed: Server is unwilling to perform: Deleting > > attributes is not allowed > >[6/8]: stopping directory server > >[7/8]: restoring configuration > >[8/8]: starting directory server > > done configuring dirsrv. > > > > Martin > > > > Updated patch attached. I had to make the ldap updater do REPLACE > operations. I went ahead and made this code similar to the code in > ldap2.py for consistency. > > rob ACK. Both LDAP upgrade and a fresh installation work fine. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 769 enable SSL hostname checking
Martin Kosek wrote: On Mon, 2011-04-11 at 17:05 -0400, Rob Crittenden wrote: Enable 389-ds SSL host checking by defauilt Enforce that the remote hostname matches the remote SSL server certificate when 389-ds operates as an SSL client. Also add an update file to turn this off for existing installations. ticket 1069 rob NACK. 10-config.update fails to upgrade existing installation: # ipa-ldap-updater --upgrade Upgrading IPA: [1/8]: stopping directory server [2/8]: saving configuration [3/8]: disabling listeners [4/8]: starting directory server [5/8]: upgrading server ERROR:root:Update failed: Server is unwilling to perform: Deleting attributes is not allowed [6/8]: stopping directory server [7/8]: restoring configuration [8/8]: starting directory server done configuring dirsrv. Martin Updated patch attached. I had to make the ldap updater do REPLACE operations. I went ahead and made this code similar to the code in ldap2.py for consistency. rob freeipa-rcrit-769-2-ssl.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 769 enable SSL hostname checking
On Mon, 2011-04-11 at 17:05 -0400, Rob Crittenden wrote: > Enable 389-ds SSL host checking by defauilt > > Enforce that the remote hostname matches the remote SSL server > certificate when 389-ds operates as an SSL client. > > Also add an update file to turn this off for existing installations. > > ticket 1069 > > rob NACK. 10-config.update fails to upgrade existing installation: # ipa-ldap-updater --upgrade Upgrading IPA: [1/8]: stopping directory server [2/8]: saving configuration [3/8]: disabling listeners [4/8]: starting directory server [5/8]: upgrading server ERROR:root:Update failed: Server is unwilling to perform: Deleting attributes is not allowed [6/8]: stopping directory server [7/8]: restoring configuration [8/8]: starting directory server done configuring dirsrv. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel