On 02/26/2016 03:29 PM, Petr Spacek wrote:
On 25.2.2016 18:01, Petr Vobornik wrote:
I did not add --enableldapstarttls to config_redhat_nss_ldap because I'm not
sure if it is present on el5 (IMO it is not).
authconfig in:
* config_redhat_nss_ldap got
* --enableldaptls
* config_redhat_nss_pam_ldapd got
* --enableldaptls
* --enableldapstarttls
options
Shouldn't it get only one of them?
It seems weird to enable both at the same time.
Petr^2 Spacek
https://fedorahosted.org/freeipa/ticket/5654
Updated patch attached. It uses only --enableldaptls in both commands.
--enableldapstarttls is an alias for enableldaptls.
After testing and checking /etc/openldap/ldap.conf, I don't think that
these options have any effect on el6. There is no 'ssl no' or 'ssl
start_tls' in any combination or lack of the options. Maybe they have
effect somewhere else. Anyway it shouldn't do any harm.
--
Petr Vobornik
From 8fdc69cb741ef67e8a1901ba5b8f1899ba8f3668 Mon Sep 17 00:00:00 2001
From: Petr Vobornik
Date: Thu, 25 Feb 2016 15:25:12 +0100
Subject: [PATCH] advise: configure TLS in redhat_nss_pam_ldapd and
redhat_nss_ldap plugins
authconfig in config_redhat_nss_ldap and config_redhat_nss_pam_ldapd got
new option --enableldaptls
It should have effect primarily on el5 systems.
https://fedorahosted.org/freeipa/ticket/5654
---
ipaserver/advise/plugins/legacy_clients.py | 4 ++--
ipatests/test_integration/test_advise.py | 7 ---
2 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/ipaserver/advise/plugins/legacy_clients.py b/ipaserver/advise/plugins/legacy_clients.py
index b6e1fc5a1549787fbe2805b0297d79211ae21d77..9e381f12a4f60e970a08de34b79a6ad5028de449 100644
--- a/ipaserver/advise/plugins/legacy_clients.py
+++ b/ipaserver/advise/plugins/legacy_clients.py
@@ -195,7 +195,7 @@ class config_redhat_nss_pam_ldapd(config_base_legacy_client):
self.log.comment('Use the authconfig to configure nsswitch.conf '
'and the PAM stack')
-self.log.command('authconfig --updateall --enableldap '
+self.log.command('authconfig --updateall --enableldap --enableldaptls '
'--enableldapauth --ldapserver=%s --ldapbasedn=%s\n'
% (uri, base))
@@ -363,7 +363,7 @@ class config_redhat_nss_ldap(config_base_legacy_client):
self.log.comment('Use the authconfig to configure nsswitch.conf '
'and the PAM stack')
-self.log.command('authconfig --updateall --enableldap '
+self.log.command('authconfig --updateall --enableldap --enableldaptls '
'--enableldapauth --ldapserver=%s --ldapbasedn=%s\n'
% (uri, base))
diff --git a/ipatests/test_integration/test_advise.py b/ipatests/test_integration/test_advise.py
index 613096f1caed3efb7db33076da5e57bea58cfa13..82d6d84cfd6e987dcbe5b8a9214a1c5eeeadf052 100644
--- a/ipatests/test_integration/test_advise.py
+++ b/ipatests/test_integration/test_advise.py
@@ -104,7 +104,8 @@ class TestAdvice(IntegrationTest):
advice_regex = "\#\!\/bin\/sh.*" \
"yum[\s]+install[\s]+\-y[\s]+curl[\s]+openssl[\s]+nss_ldap" \
"[\s]+authconfig.*authconfig[\s]+\-\-updateall" \
- "[\s]+\-\-enableldap[\s]+\-\-enableldapauth[\s]+" \
+ "[\s]+\-\-enableldap[\s]+\-\-enableldaptls"\
+ "[\s]+\-\-enableldapauth[\s]+" \
"\-\-ldapserver=.*[\s]+\-\-ldapbasedn=.*"
raiseerr = True
@@ -116,8 +117,8 @@ class TestAdvice(IntegrationTest):
advice_regex = "\#\!\/bin\/sh.*" \
"yum[\s]+install[\s]+\-y[\s]+curl[\s]+openssl[\s]+" \
"nss\-pam\-ldapd[\s]+pam_ldap[\s]+authconfig.*" \
- "authconfig[\s]+\-\-updateall[\s]+" \
- "\-\-enableldap[\s]+\-\-enableldapauth[\s]+" \
+ "authconfig[\s]+\-\-updateall[\s]+\-\-enableldap"\
+ "[\s]+\-\-enableldaptls[\s]+\-\-enableldapauth[\s]+" \
"\-\-ldapserver=.*[\s]+\-\-ldapbasedn=.*"
raiseerr = True
--
2.5.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code