We wish to enable the current connection acceptance code to use nunc-stans by default in Directory Server. This starts to pave the way to nunc-stans by default for other aspects of the server.
attachment 0001-Ticket-49006-Enable-nunc-stans-by-default.patch
355d707 Writing objects: 100% (11/11), 1.36 KiB | 0 bytes/s, done. Total 11 (delta 8), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git
355d707..83a7705 master -> master
Could you please also add an option to template-dse.ldif?
I thought about this a lot actually, and the short answer is "no".
In dse.ldif, we have made a mess for ourselves, especially in cn=config. We rely on extensibleObject a lot, and our schema doesn't 100% match our config. In the future I would love to review this and fix it all up (to be able to remove extensibleObject in new installs). We've also made a mess for our users. It's hard to find what options changed in an install, it's impossible to reset a server to defaults, and on upgrade, most admins are not getting our new settings enabled unless they carefully read the changelogs.
So the problem is that adding the option nsslapd-nunc-stans-enable would need to go to the schema, and then would have to live there as a member of the nsslapdConfig objectclass. That's not so bad, but there are some issues with the addition:
First, this makes us changing the default impossible. If we set an install with a value in template-dse.ldif, then we decide to revert out, anyone that installed at that time will retain the option even though we don't want them to. By not putting this into dse.ldif, we can provide defaults that we can upgrade and improve over time without admins noticing! They can reset the value by deleting the attr from their cn=config too.
Second, this option will go away in the future. nunc-stans will be the default, and only choice for connections and threading one day, and I don't want to maintain support for options that don't exist anymore.
So I will not add this option, nor any other new future option to template-dse.ldif "by default". I will put the options in the server so we can upgrade them in the background, and only if a user really wants, they can add it to the cn=config for manual setting. If anything I am aiming to trim and minimise dse.ldif out of the box, so hopefully there will be some more options that will be purged in the future from cn=config "by default".
attachment 0002-Ticket-49006-Nunc-stans-use-DS-stack-size.patch
Attachment 0002-Ticket-49006-Nunc-stans-use-DS-stack-size.patch added
ack.
commit 73b91d8 Writing objects: 100% (6/6), 723 bytes | 0 bytes/s, done. Total 6 (delta 4), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git bcaf2c2..73b91d8 master -> master
Metadata Update from @firstyear: - Issue assigned to firstyear - Issue set to the milestone: 1.3.6.0
Metadata Update from @mreynolds: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1425906 - Issue close_status updated to: None (was: Fixed)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/2065
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix
Login to comment on this ticket.