[rhos-list] Keystone + LDAP + TLS
Adam Young
ayoung at redhat.com
Wed Aug 22 15:10:33 UTC 2012
On 08/21/2012 10:13 PM, Jonathan Mills wrote:
> So, you need some way to specify the certificate. In nss_ldap syntax, this is one of:
>
> tls_cacertfile /etc/ssl/ca.cert
> tls_cacertdir /etc/openldap/cacerts
>
> Additionally, you need a directive to state whether you intent to use SSL or START_TLS. Have an 'ldaps' URI is not enough, because that wouldn't leave you with a way to specify that you wish to connect to unencrypted port 389 and issue a START_TLS command. nss_ldap does one of:
>
> ssl on
> ssl start_tls
>
> You need a way to specify whether the cert is required and should be validated:
>
> tls_reqcert never | demand | allow
>
>
> Have a look at the TLS functions of python-ldap:
>
> http://www.python-ldap.org/doc/html/ldap.html#tls-options
I've used your text for the bug report. Please add any additional
information here:
https://bugs.launchpad.net/keystone/+bug/1040115
More information about the rhos-list
mailing list