summaryrefslogtreecommitdiffstats
path: root/install/updates
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2011-05-19 22:30:53 -0400
committerRob Crittenden <rcritten@redhat.com>2011-05-20 10:08:11 -0400
commit00abd47de4d3238295cbe5dc30210b913c0f07a1 (patch)
treedb292a22ba7f791f2f28595cc00b800faff34731 /install/updates
parent7a867102c5c01c8c3c76dbf0147647f2f2f648f6 (diff)
downloadfreeipa-00abd47de4d3238295cbe5dc30210b913c0f07a1.zip
freeipa-00abd47de4d3238295cbe5dc30210b913c0f07a1.tar.gz
freeipa-00abd47de4d3238295cbe5dc30210b913c0f07a1.tar.xz
Enable 389-ds SSL host checking by defauilt
Enforce that the remote hostname matches the remote SSL server certificate when 389-ds operates as an SSL client. Also add an update file to turn this off for existing installations. This also changes the way the ldapupdater modlist is generated to be more like the framework. Single-value attributes are done as replacements and there is a list of force-replacement attributes. ticket 1069
Diffstat (limited to 'install/updates')
-rw-r--r--install/updates/10-config.update5
-rw-r--r--install/updates/Makefile.am1
2 files changed, 6 insertions, 0 deletions
diff --git a/install/updates/10-config.update b/install/updates/10-config.update
new file mode 100644
index 0000000..ed70339
--- /dev/null
+++ b/install/updates/10-config.update
@@ -0,0 +1,5 @@
+# Enforce matching SSL certificate host names when 389-ds acts as an SSL
+# client. A restart is necessary for this to take effect, we do one when
+# upgrading.
+dn: cn=config
+only:nsslapd-ssl-check-hostname: on
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 5765bf1..c9d1584 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -5,6 +5,7 @@ app_DATA = \
10-60basev2.update \
10-RFC2307bis.update \
10-RFC4876.update \
+ 10-config.update \
20-aci.update \
20-dna.update \
20-indices.update \