Henrik Schmidt wrote:
Darin Perusich schrieb:
Two questions :
1. Why is tls_checkpeer set to "no" or set at all ? I want have it either enabled or not set at all so that the configuration in /etc/openldap/ldap.conf is used as default.
tls_checkpeer is set to 'no' because you haven't defined tls_cacertdir or tls_cacertfile which are required for peer verification. This is described in nss_ldap(5).
Wrong. I just want to use the default which is explained in /etc/ldap.conf :
# OpenLDAP SSL options # Require and verify server certificate (yes/no) # Default is to use libldap's default behavior, which can be configured in # /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for # OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". #tls_checkpeer yes
I just don't want to use 'no' and some script is forcing this upon me. No need for tls_cacertdir or other tls settings according to the text above.
When specifying either of these options, tls_checkpeer and TLS_REQCERT, the expectation is that the CA certificate is available on the system to verify to server certificate. Since this cannot be guaranteed setting it to 'no' is the safe bet. If you're not happy with this it's easy enough to provide your own ldap.conf or script setting the preferred values for your environment. If you see the configuration section of nss_ldap(5) it explains that while /etc/ldap.conf and /etc/openldap/ldap.conf share many of the same options there is no guarantee they will match in the future. Not relying on /etc/openldap/ldap.conf for nss_ldap functionality will ensure user provisioning if and when things change in the future.
2. Is "objectClass" in pam_filter objectClass=posixAccount spelled correctly ? I think it should be spelled objectclass with a small c.
Case doesn't matter for these identifiers but it's common practice when an identifier is a concatenation of multiple words to use upper case for the first letter the successive words. It's lends to the readability but that is it.
objectclass is used multiple times in ldap.conf like #pam_filter objectclass=aixAccount, there is just a single case with upper C and i asked myself why. Looked like some anomaly.
-- Darin Perusich Unix Systems Administrator Cognigen Corporation 395 Youngs Rd. Williamsville, NY 14221 Phone: 716-633-3463 Email: darinper@cognigencorp.com -- To unsubscribe, e-mail: opensuse-autoinstall+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-autoinstall+help@opensuse.org