diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2011-05-19 22:30:53 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2011-05-20 10:08:11 -0400 |
| commit | 00abd47de4d3238295cbe5dc30210b913c0f07a1 (patch) | |
| tree | db292a22ba7f791f2f28595cc00b800faff34731 /install | |
| parent | 7a867102c5c01c8c3c76dbf0147647f2f2f648f6 (diff) | |
| download | freeipa-00abd47de4d3238295cbe5dc30210b913c0f07a1.tar.gz freeipa-00abd47de4d3238295cbe5dc30210b913c0f07a1.tar.xz freeipa-00abd47de4d3238295cbe5dc30210b913c0f07a1.zip | |
Enable 389-ds SSL host checking by defauilt
Enforce that the remote hostname matches the remote SSL server certificate
when 389-ds operates as an SSL client.
Also add an update file to turn this off for existing installations.
This also changes the way the ldapupdater modlist is generated to be more
like the framework. Single-value attributes are done as replacements
and there is a list of force-replacement attributes.
ticket 1069
Diffstat (limited to 'install')
| -rw-r--r-- | install/updates/10-config.update | 5 | ||||
| -rw-r--r-- | install/updates/Makefile.am | 1 |
2 files changed, 6 insertions, 0 deletions
diff --git a/install/updates/10-config.update b/install/updates/10-config.update new file mode 100644 index 000000000..ed7033950 --- /dev/null +++ b/install/updates/10-config.update @@ -0,0 +1,5 @@ +# Enforce matching SSL certificate host names when 389-ds acts as an SSL +# client. A restart is necessary for this to take effect, we do one when +# upgrading. +dn: cn=config +only:nsslapd-ssl-check-hostname: on diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 5765bf17d..c9d1584b8 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -5,6 +5,7 @@ app_DATA = \ 10-60basev2.update \ 10-RFC2307bis.update \ 10-RFC4876.update \ + 10-config.update \ 20-aci.update \ 20-dna.update \ 20-indices.update \ |