93b0e6a ipaclient: do not set TLS CA options in ldap.conf anymore

2 files Authored by abbra a year ago, Committed by frenaud a year ago,
    ipaclient: do not set TLS CA options in ldap.conf anymore
    
    OpenLDAP has made it explicit to use default CA store as provided by
    OpenSSL in 2016:
    
    	branches 2.5 and later:
    	commit 4962dd6083ae0fe722eb23a618ad39e47611429b
    	Author: Howard Guo <hguo@suse.com>
    	Date:   Thu Nov 10 15:39:03 2016 +0100
    
    	branch 2.4:
    	commit e3affc71e05b33bfac43833c7b95fd7b7c3188f8
    	Author: Howard Guo <hguo@suse.com>
    	Date:   Thu Nov 10 15:39:03 2016 +0100
    
    This means starting with OpenLDAP 2.4.45 we can drop the explicit CA
    configuration in ldap.conf.
    
    There are several use cases where an explicit IPA CA should be specified
    in the configuration. These mostly concern situations where a higher
    security level must be maintained. For these configurations an
    administrator would need to add an explicit CA configuration to
    ldap.conf if we wouldn't add it during the ipa-client-install setup.
    
    RN: FreeIPA client installer does not add explicit TLS CA configuration
    RN: to OpenLDAP's ldap.conf anymore. Since OpenLDAP 2.4.45, explicit CA
    RN: configuration is not required as OpenLDAP uses the default CA store
    RN: provided by OpenSSL and IPA CA is installed in the default store
    RN: by the installer already.
    
    Fixes: https://pagure.io/freeipa/issue/9258
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    
        
file modified
+1 -7