summaryrefslogtreecommitdiffstats
path: root/ipaserver/install/dsinstance.py
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2011-05-19 22:30:53 -0400
committerRob Crittenden <rcritten@redhat.com>2011-05-20 10:08:11 -0400
commit00abd47de4d3238295cbe5dc30210b913c0f07a1 (patch)
treedb292a22ba7f791f2f28595cc00b800faff34731 /ipaserver/install/dsinstance.py
parent7a867102c5c01c8c3c76dbf0147647f2f2f648f6 (diff)
downloadfreeipa-00abd47de4d3238295cbe5dc30210b913c0f07a1.zip
freeipa-00abd47de4d3238295cbe5dc30210b913c0f07a1.tar.gz
freeipa-00abd47de4d3238295cbe5dc30210b913c0f07a1.tar.xz
Enable 389-ds SSL host checking by defauilt
Enforce that the remote hostname matches the remote SSL server certificate when 389-ds operates as an SSL client. Also add an update file to turn this off for existing installations. This also changes the way the ldapupdater modlist is generated to be more like the framework. Single-value attributes are done as replacements and there is a list of force-replacement attributes. ticket 1069
Diffstat (limited to 'ipaserver/install/dsinstance.py')
-rw-r--r--ipaserver/install/dsinstance.py3
1 files changed, 1 insertions, 2 deletions
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 74243cf..229e142 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -541,8 +541,7 @@ class DsInstance(service.Service):
+tls_rsa_export1024_with_des_cbc_sha")]
conn.modify_s("cn=encryption,cn=config", mod)
- mod = [(ldap.MOD_ADD, "nsslapd-security", "on"),
- (ldap.MOD_REPLACE, "nsslapd-ssl-check-hostname", "off")]
+ mod = [(ldap.MOD_ADD, "nsslapd-security", "on")]
conn.modify_s("cn=config", mod)
entry = ipaldap.Entry("cn=RSA,cn=encryption,cn=config")