URL: https://github.com/SSSD/sssd/pull/570 Title: #570: p11_child: add OpenSSL support
jhrozek commented: """ > On 30 May 2018, at 12:39, sumit-bose <notificati...@github.com> wrote: > > About /etc/sssd/pki, I'm sorry, I didn't understood you correctly in the > first place. You suggested to use a directory based CA store (e.g. > TLS_CACERTDIR of OpenLDAP) instead of a file based one (e.g. TLS_CACERT of > OpenLDAP). If prefer the file bases one because of do not have run some > rehash command to create the needed link in the directory store and you can > easy link it to other files based stores like e.g. the IPA one. > > Nevertheless we can you /etc/sssd/pki to that the file name will be > /etc/sssd/pki/sssd_auth_ca_db.pem. The upcoming file with the CRL will then > be /etc/sssd/pki/sssd_auth_crl.pem. And if there is really a need for a > directory store we can add e.g. /etc/sssd/pki/ca_certs/. I tried to suggest TLS_CACERT from the start, I just don’t like putting files in the /etc/sssd directory because if we ever want to have e.g. some different access control to a subset of the files, it’s easier to do if the files are in a directory. And if there are multiple related files (like the CRL you mentioned) it’s cleaner to have them in the same directory. > > Do you agree? Yes, I do. """ See the full comment at https://github.com/SSSD/sssd/pull/570#issuecomment-393193240
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/3UDPOE2LXWYFO7VWYSTHZAZDNFLVSTPA/