If we store a copy of the IPA CA certificate in LDAP then we provide an authenticated path to retrieve the CA. The user can retrieve it using GSSAPI and therefore know that they are getting the right CA.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=842873
Changing 3.2 priority
Since 18eea90 & a40285c, the CA cert is in cn=CACert,cn=ipa,cn=etc,$SUFFIX.
cn=CACert,cn=ipa,cn=etc,$SUFFIX
Do we need to do anything else here? Docs?
It might be nice to have a reference in the documentation to where we store the LDAP cert but I think that would be a separate ticket or BZ targeted towards docs.
I think this can be closed.
This was fixed as a part of a CVE.
Metadata Update from @rcritten: - Issue assigned to someone - Issue set to the milestone: FreeIPA 3.2.x - 2013/06 (bug fixing)
Login to comment on this ticket.