freeipa

Clone
Source Code
GIT

#9258 Do not add TLS CA configuration to ldap.conf anymore
Closed: fixed 2 years ago by frenaud. Opened 2 years ago by abbra.

Closed: fixed
Reopen Issue

OpenLDAP made it explicit to use default CA store as provided by OpenSSL in 2016:

branches 2.5 and later:
commit 4962dd6083ae0fe722eb23a618ad39e47611429b
Author: Howard Guo <hguo@suse.com>
Date:   Thu Nov 10 15:39:03 2016 +0100

branch 2.4:
commit e3affc71e05b33bfac43833c7b95fd7b7c3188f8
Author: Howard Guo <hguo@suse.com>
Date:   Thu Nov 10 15:39:03 2016 +0100

This means starting with OpenLDAP 2.4.45 we can drop the explicit CA configuration in dap.conf.

There are several use cases where an explicit IPA CA should be specified in the configuration. These mostly concern situations where a higher security level must be maintained. For these configurations an administrator would need to add an explicit CA configuration to ldap.conf if we wouldn't add it during the ipa-client-install setup. This is worth a release note.

Metadata Update from @abbra:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/6496
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2094673
2 years ago

master:

  • 22022ae ipaclient: do not set TLS CA options in ldap.conf anymore

ipa-4-10:

  • 93b0e6a ipaclient: do not set TLS CA options in ldap.conf anymore

ipa-4-9:

  • d9a56b5 ipaclient: do not set TLS CA options in ldap.conf anymore

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
2 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
None
https://github.com/freeipa/freeipa/pull/6496
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=2094673
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.