Red Hat Bugzilla – Bug 220973
--enableldaptls and --enableldapssl should do differnt things
Last modified: 2008-06-06 10:17:51 EDT
Description of problem:
Stumbled on this when attempting to bring a FC^ box into an existing LDAP setup.
When using system-config-authentication both the --enableldaptls and the
--enableldapssh add the same identical line to ldap.conf despite the fact that
nss_ldap recognizes a difference between ssl and tls operation
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. use s-c-a --enableldapssl --update
2. check /etc/ldap.conf for the line ssl ...
Ssl option set to "ssl start_tls"
Ssl option set to "ssl yes"
This is important for interfacing with older LDAP servers that just start
talking SSL on ldaps (636) since nss_ldap will get confused if set to start_tls
waiting for the start signal.
Created attachment 295512 [details]
make --enableldapssl enable SSL, not TLS
works fine on this FC8 box, but has only been tested using the CLI, not the
(requires python-2.5 for startswith() that takes a tuple.)
I do not think --enableldapssl should do this. Actually I think that
--enableldapssl option should just be removed completely, --enableldaptls should
stay as is that means put ssl start_tls into the config.
There is support for using ldaps:// or ldap:// uri in the --ldapserver option
So for ldaps you would use options '--ldapserver ldaps://<server>/ --disableldaptls'
I'll drop the --enableldapssl alias and add some text to the --help and to
tooltips in the GUI.