Commit Graph

2 Commits

Author SHA1 Message Date
Alexander Bokovoy
22022ae2ff ipaclient: do not set TLS CA options in ldap.conf anymore
OpenLDAP has made it explicit to use default CA store as provided by
OpenSSL in 2016:

	branches 2.5 and later:
	commit 4962dd6083ae0fe722eb23a618ad39e47611429b
	Author: Howard Guo <hguo@suse.com>
	Date:   Thu Nov 10 15:39:03 2016 +0100

	branch 2.4:
	commit e3affc71e05b33bfac43833c7b95fd7b7c3188f8
	Author: Howard Guo <hguo@suse.com>
	Date:   Thu Nov 10 15:39:03 2016 +0100

This means starting with OpenLDAP 2.4.45 we can drop the explicit CA
configuration in ldap.conf.

There are several use cases where an explicit IPA CA should be specified
in the configuration. These mostly concern situations where a higher
security level must be maintained. For these configurations an
administrator would need to add an explicit CA configuration to
ldap.conf if we wouldn't add it during the ipa-client-install setup.

RN: FreeIPA client installer does not add explicit TLS CA configuration
RN: to OpenLDAP's ldap.conf anymore. Since OpenLDAP 2.4.45, explicit CA
RN: configuration is not required as OpenLDAP uses the default CA store
RN: provided by OpenSSL and IPA CA is installed in the default store
RN: by the installer already.

Fixes: https://pagure.io/freeipa/issue/9258

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-10-10 09:50:39 +02:00
Christian Heimes
a376b6136c Add test case for configure_openldap_conf
IPAChangeConf doesn't handle lines with mixed assignment values
correctly.

See: https://pagure.io/freeipa/issue/7838
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-03-29 11:35:26 +01:00