After executing commands produced by ipa-advise config-redhat-nss-ldap following lines are present in /etc/ldap.conf:
ipa-advise config-redhat-nss-ldap
/etc/ldap.conf
uri ldap://vm-058-103.abc.idm.lab.eng.brq.redhat.com ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5
This is way too insecure, because BIND request are sending passwords in plaintext!
ssl start_tls
works even with nss_ldap-253-52.el5_11.2 on latest RHEL 5.
nss_ldap-253-52.el5_11.2
Apparently authconfig call is missing --enableldaptls parameter.
authconfig
--enableldaptls
This might be the case even for other ipa-advise modules, we should review them.
It seems that the same problem is in config-redhat-nss-ldapd config for advisor.
config-redhat-nss-ldapd
master:
ipa-4-3:
ipa-4-2:
Metadata Update from @pspacek: - Issue assigned to pvoborni - Issue set to the milestone: FreeIPA 4.2.4
Login to comment on this ticket.