Mailinglist Archive: opensuse-autoinstall (68 mails)
| < Previous | Next > |
Re: [opensuse-autoinstall] ldap questions
- From: Darin Perusich <Darin.Perusich@xxxxxxxxxxxxxxxx>
- Date: Tue, 17 Mar 2009 16:02:35 -0400
- Message-id: <49C001DB.9000604@xxxxxxxxxxxxxxxx>
Henrik Schmidt wrote:
Darin Perusich schrieb:
Two questions :
1. Why is tls_checkpeer set to "no" or set at all ? I want have it
either enabled or not set at all so that the configuration in
/etc/openldap/ldap.conf is used as default.
tls_checkpeer is set to 'no' because you haven't defined tls_cacertdir
or tls_cacertfile which are required for peer verification. This is
described in nss_ldap(5).
Wrong. I just want to use the default which is explained in
/etc/ldap.conf :
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes
I just don't want to use 'no' and some script is forcing this upon me.
No need for tls_cacertdir or other tls settings according to the text
above.
When specifying either of these options, tls_checkpeer and TLS_REQCERT,
the expectation is that the CA certificate is available on the system to
verify to server certificate. Since this cannot be guaranteed setting it
to 'no' is the safe bet. If you're not happy with this it's easy enough
to provide your own ldap.conf or script setting the preferred values for
your environment.
If you see the configuration section of nss_ldap(5) it explains that
while /etc/ldap.conf and /etc/openldap/ldap.conf share many of the same
options there is no guarantee they will match in the future. Not relying
on /etc/openldap/ldap.conf for nss_ldap functionality will ensure user
provisioning if and when things change in the future.
2. Is "objectClass" in pam_filter objectClass=posixAccount spelled
correctly ? I think it should be spelled objectclass with a small c.
Case doesn't matter for these identifiers but it's common practice when
an identifier is a concatenation of multiple words to use upper case for
the first letter the successive words. It's lends to the readability but
that is it.
objectclass is used multiple times in ldap.conf like
#pam_filter objectclass=aixAccount, there is just a single case with
upper C and i asked myself why. Looked like some anomaly.
--
Darin Perusich
Unix Systems Administrator
Cognigen Corporation
395 Youngs Rd.
Williamsville, NY 14221
Phone: 716-633-3463
Email: darinper@xxxxxxxxxxxxxxxx
--
To unsubscribe, e-mail: opensuse-autoinstall+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-autoinstall+help@xxxxxxxxxxxx
| < Previous | Next > |