Bug 220973

Summary: --enableldaptls and --enableldapssl should do differnt things
Product: [Fedora] Fedora Reporter: Eric Warnke <ericew>
Component: authconfigAssignee: Tomas Mraz <tmraz>
Status: CLOSED RAWHIDE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideKeywords: FutureFeature
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: authconfig-5.4.3-1.fc10 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-06-06 14:17:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
make --enableldapssl enable SSL, not TLS none

Description Eric Warnke 2006-12-29 20:28:18 UTC
Description of problem:

Stumbled on this when attempting to bring a FC^ box into an existing LDAP setup.
 When using system-config-authentication both the --enableldaptls and the
--enableldapssh add the same identical line to ldap.conf despite the fact that
nss_ldap recognizes a difference between ssl and tls operation

Version-Release number of selected component (if applicable):

authconfig-gtk-5.3.12-1.fc6

How reproducible:

every time

Steps to Reproduce:
1. use s-c-a --enableldapssl --update
2. check /etc/ldap.conf for the line ssl ...

  
Actual results:

Ssl option set to "ssl start_tls"


Expected results:

Ssl option set to "ssl yes"

Additional info:

This is important for interfacing with older LDAP servers that just start
talking SSL on ldaps (636) since nss_ldap will get confused if set to start_tls
waiting for the start signal.

Comment 1 Matthew Boyle 2008-02-21 14:43:38 UTC
Created attachment 295512 [details]
make --enableldapssl enable SSL, not TLS

works fine on this FC8 box, but has only been tested using the CLI, not the
GUI.

(requires python-2.5 for startswith() that takes a tuple.)

Comment 2 Tomas Mraz 2008-06-06 12:13:12 UTC
I do not think --enableldapssl should do this. Actually I think that
--enableldapssl option should just be removed completely, --enableldaptls should
stay as is that means put ssl start_tls into the config.

There is support for using ldaps:// or ldap:// uri in the --ldapserver option
already.

So for ldaps you would use options '--ldapserver ldaps://<server>/ --disableldaptls'

I'll drop the --enableldapssl alias and add some text to the --help and to
tooltips in the GUI.