Change ldap_id_use_start_tls default to True #6963
Conversation
|
Hi, I wonder if we can call the new option value bye, |
Yes no problem, I will change it. |
justin-stephenson
force-pushed
the
start_tls_try_default_master
branch
from
446c142 to
e2bb694
Compare
justin-stephenson
changed the title
justin-stephenson
force-pushed
the
start_tls_try_default_master
branch
7 times, most recently
from
f530139 to
8c41682
Compare
|
associated PR for sssd-2-9 branch to change default to "allow" is here #6968 |
|
Please add 'resolves #6681' |
justin-stephenson
force-pushed
the
start_tls_try_default_master
branch
from
8c41682 to
af083b2
Compare
Done. |
justin-stephenson
force-pushed
the
start_tls_try_default_master
branch
from
af083b2 to
e80ca15
Compare
|
Hi, wouldn't it be easier to add a fourth patch to switch from bye, |
|
Both PRs lacks RNs in commit messages ( For this reason / once added,
-- I don't think this is a good idea as we will have to conflicting (and thus confusing) RNs from And also PRs need a rebase. |
src/tests/intg/test_infopipe.py
Outdated
| @@ -213,6 +213,7 @@ def format_basic_conf(ldap_conn, schema, config): | |||
| ldap_search_base = {ldap_conn.ds_inst.base_dn} | |||
| ldap_user_extra_attrs = extraName:uid | |||
| ldap_user_certificate = userCert | |||
| ldap_id_use_start_tls = allow | |||
There was a problem hiding this comment.
Why is this needed?
LDAP server used in tests doesn't support TLS?
|
Do we need 'allow' variant in 2.10+ at all? Wouldn't it be sufficient for 2.10+ to merely change default to 'true' and to be done with it? I mean, 'allow' only has meaning as a default value. There is no reason anyone would like to configure it explicitly (like, "I don't know if my server supprts TLS so let's try"?). Having 'allow' variant with default set to 'true' doesn't make sense, imo. Of course, it's a bit weird that 2.9.3 will introduce a new variant that will disappear in 2.10+. But it could be explained in RNs that this is a transitional option only to avoid breaking existing setups and it will disappear soon. |
Hi, then we should make sure that bye, |
Makes sense.
Another thing to consider: what is the plan for C9S/RHEL9? |
Imo, it doesn't justify a Change process, RNs would be enough. Moreover, F40 should (hopefully) get sssd-2.10 |
Downstream patch enabling 'allow' is the only viable option if we want to change the default from 'false' in RHEL9 however, yes? It seems too disruptive to switch from 'false' to 'true' within a major release. Otherwise we leave it as 'false' and only makes these changes to improve security for RHEL10+. I don't have a strong opinion either way i'll implement it whichever way we all decide. |
All communication, including the identity provided must be encrypted to prevent attacks. Resolves: SSSD#6681
justin-stephenson
force-pushed
the
start_tls_try_default_master
branch
from
e80ca15 to
adda7b7
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
justin-stephenson
changed the title
|
|
:relnote: Default `ldap_id_use_start_tls` value changed from `false` to `true` for improved security. Resolves: SSSD#6681
justin-stephenson
force-pushed
the
start_tls_try_default_master
branch
from
adda7b7 to
cb39201
Compare
No description provided.