[Freeipa-devel] ipa-client-install and TLS
Simo Sorce
ssorce at redhat.com
Thu May 1 14:11:11 UTC 2008
On Thu, 2008-05-01 at 18:18 +0430, W. Michael Petullo wrote:
> I just upgraded to FreeIPA 1.0. Last time I configured my test client
> by hand, but this time I used ipa-client-install. I found that
> ipa-client-install did not configure nss_ldap to use TLS in
> /etc/ldap.conf*
>
> It wrote this:
>
> uri ldap://ipa.example.com
>
> where I would expect this:
>
> uri ldaps://ipa.example.com:636
>
> Is there a reason ipa-client-install does not configure nss_ldap to use
> TLS by default?
Performance.
The data is all available anonymously anyway, and adding SSL on top is
not a big advantage at this point.
Of course admins can choose to activate SSL by changing the above line.
This will change in v2, where we will do much more aggressive caching
and will use GSSAPI (and per-machine credentials) by default to secure
the connection.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list