Bug 220973 - --enableldaptls and --enableldapssl should do differnt things
--enableldaptls and --enableldapssl should do differnt things
Product: Fedora
Classification: Fedora
Component: authconfig (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2006-12-29 15:28 EST by Eric Warnke
Modified: 2008-06-06 10:17 EDT (History)
0 users

See Also:
Fixed In Version: authconfig-5.4.3-1.fc10
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-06-06 10:17:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
make --enableldapssl enable SSL, not TLS (5.09 KB, patch)
2008-02-21 09:43 EST, Matthew Boyle
no flags Details | Diff

  None (edit)
Description Eric Warnke 2006-12-29 15:28:18 EST
Description of problem:

Stumbled on this when attempting to bring a FC^ box into an existing LDAP setup.
 When using system-config-authentication both the --enableldaptls and the
--enableldapssh add the same identical line to ldap.conf despite the fact that
nss_ldap recognizes a difference between ssl and tls operation

Version-Release number of selected component (if applicable):


How reproducible:

every time

Steps to Reproduce:
1. use s-c-a --enableldapssl --update
2. check /etc/ldap.conf for the line ssl ...

Actual results:

Ssl option set to "ssl start_tls"

Expected results:

Ssl option set to "ssl yes"

Additional info:

This is important for interfacing with older LDAP servers that just start
talking SSL on ldaps (636) since nss_ldap will get confused if set to start_tls
waiting for the start signal.
Comment 1 Matthew Boyle 2008-02-21 09:43:38 EST
Created attachment 295512 [details]
make --enableldapssl enable SSL, not TLS

works fine on this FC8 box, but has only been tested using the CLI, not the

(requires python-2.5 for startswith() that takes a tuple.)
Comment 2 Tomas Mraz 2008-06-06 08:13:12 EDT
I do not think --enableldapssl should do this. Actually I think that
--enableldapssl option should just be removed completely, --enableldaptls should
stay as is that means put ssl start_tls into the config.

There is support for using ldaps:// or ldap:// uri in the --ldapserver option

So for ldaps you would use options '--ldapserver ldaps://<server>/ --disableldaptls'

I'll drop the --enableldapssl alias and add some text to the --help and to
tooltips in the GUI.

Note You need to log in before you can comment on or make changes to this bug.