Bug 220973 - --enableldaptls and --enableldapssl should do differnt things
Summary: --enableldaptls and --enableldapssl should do differnt things
Alias: None
Product: Fedora
Classification: Fedora
Component: authconfig   
(Show other bugs)
Version: rawhide
Hardware: i386 Linux
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
Keywords: FutureFeature
Depends On:
TreeView+ depends on / blocked
Reported: 2006-12-29 20:28 UTC by Eric Warnke
Modified: 2008-06-06 14:17 UTC (History)
0 users

Fixed In Version: authconfig-5.4.3-1.fc10
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-06-06 14:17:51 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
make --enableldapssl enable SSL, not TLS (5.09 KB, patch)
2008-02-21 14:43 UTC, Matthew Boyle
no flags Details | Diff

Description Eric Warnke 2006-12-29 20:28:18 UTC
Description of problem:

Stumbled on this when attempting to bring a FC^ box into an existing LDAP setup.
 When using system-config-authentication both the --enableldaptls and the
--enableldapssh add the same identical line to ldap.conf despite the fact that
nss_ldap recognizes a difference between ssl and tls operation

Version-Release number of selected component (if applicable):


How reproducible:

every time

Steps to Reproduce:
1. use s-c-a --enableldapssl --update
2. check /etc/ldap.conf for the line ssl ...

Actual results:

Ssl option set to "ssl start_tls"

Expected results:

Ssl option set to "ssl yes"

Additional info:

This is important for interfacing with older LDAP servers that just start
talking SSL on ldaps (636) since nss_ldap will get confused if set to start_tls
waiting for the start signal.

Comment 1 Matthew Boyle 2008-02-21 14:43:38 UTC
Created attachment 295512 [details]
make --enableldapssl enable SSL, not TLS

works fine on this FC8 box, but has only been tested using the CLI, not the

(requires python-2.5 for startswith() that takes a tuple.)

Comment 2 Tomas Mraz 2008-06-06 12:13:12 UTC
I do not think --enableldapssl should do this. Actually I think that
--enableldapssl option should just be removed completely, --enableldaptls should
stay as is that means put ssl start_tls into the config.

There is support for using ldaps:// or ldap:// uri in the --ldapserver option

So for ldaps you would use options '--ldapserver ldaps://<server>/ --disableldaptls'

I'll drop the --enableldapssl alias and add some text to the --help and to
tooltips in the GUI.

Note You need to log in before you can comment on or make changes to this bug.