From 00abd47de4d3238295cbe5dc30210b913c0f07a1 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 19 May 2011 22:30:53 -0400
Subject: Enable 389-ds SSL host checking by defauilt

Enforce that the remote hostname matches the remote SSL server certificate
when 389-ds operates as an SSL client.

Also add an update file to turn this off for existing installations.

This also changes the way the ldapupdater modlist is generated to be more
like the framework. Single-value attributes are done as replacements
and there is a list of force-replacement attributes.

ticket 1069
---
 ipaserver/install/dsinstance.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'ipaserver/install/dsinstance.py')

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 74243cfc1..229e14282 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -541,8 +541,7 @@ class DsInstance(service.Service):
 +tls_rsa_export1024_with_des_cbc_sha")]
         conn.modify_s("cn=encryption,cn=config", mod)
 
-        mod = [(ldap.MOD_ADD, "nsslapd-security", "on"),
-               (ldap.MOD_REPLACE, "nsslapd-ssl-check-hostname", "off")]
+        mod = [(ldap.MOD_ADD, "nsslapd-security", "on")]
         conn.modify_s("cn=config", mod)
 
         entry = ipaldap.Entry("cn=RSA,cn=encryption,cn=config")
-- 
cgit