#3447 [RFE] Please consider enabling TLS_CACERTDIR after ipa-client-install
Opened 11 years ago by amessina. Modified 7 years ago

After installing and IPA client, the /etc/openldap/ldap.conf file looks something like:

#File modified by ipa-client-install

URI ldaps://ipa.example.com
BASE dc=example,dc=com
TLS_CACERT /etc/ipa/ca.crt

Unfortunately, this alters the default use of command line ldapsearch and other tools in terms of accessing other non-IPA ldap servers with TLS. In my own environment, what I've been doing for every client is adding

TLS_CACERTDIR /etc/mss/certs

with /etc/pki/tls/certs/ca-bundle.crt linked into that directory, then using /usr/sbin/cacertdir_rehash from authconfig to hash the directory.

This seems to work well.

What I'm wondering is whether if would be possible for ipa-client-install to do this by default.

Thanks for the consideration.


Metadata Update from @amessina:
- Issue assigned to someone
- Issue set to the milestone: Future Releases

7 years ago

Login to comment on this ticket.

Metadata