On 1/26/11 3:54 AM, "Stephen Gallagher" <sgallagh(a)redhat.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/26/2011 05:51 AM, Sumit Bose wrote:
> On Tue, Jan 25, 2011 at 02:55:05PM -0500, Stephen Gallagher wrote:
> On 01/25/2011 11:17 AM, Sumit Bose wrote:
>>>> On Tue, Jan 25, 2011 at 11:09:09AM -0500, Stephen Gallagher wrote:
>>>> On 01/25/2011 10:59 AM, Jeff Schroeder wrote:
>>>>>>> Why don't you make sssd also complain on startup about
this
>>>>>>>option?
>>>>>>>
>>>>
>>>> I'm trying not to be TOO obnoxious about it. I figured that not
>>>>having
>>>> it mentioned in the documentation and not visible to the SSSDConfig
>>>>API
>>>> would be sufficient.
>>>>
>>>> But if you feel strongly about it, it's not too hard to add.
>>>>
>>>>
>>>>> I would also support the idea of some kind of warning message to
>>>>>prevent
>>>>> that someone accidentally use the "debugging" configuration
in
>>>>> production. But instead of a message at startup I would prefer a
>>>>>syslog
>>>>> message every time a password is sent unencrypted.
>
>
> New patch with annoying syslog message attached.
>
>
>> I have to admit this patch is working as expected, I can clearly see my
>> password on the wire.
>
>> ACK
>
Ok, so now that we know we have a patch to accomplish this... we have to
ask ourselves this question: are we willing to push this upstream, or
should we stick to the principles we've maintained up to this point?
I feel strongly that we should NACK this patch.
If an administrator wishes to troubleshoot ldaps traffic, there are ways
to do so without compromising the FreeIPA Code:
Wireshark can be made to sniff SSL traffic if the user has the SSL Cert
http://wiki.wireshark.org/SSL