On Wed, 2011-01-26 at 05:11 -0800, Jeff Schroeder wrote:
On Wed, Jan 26, 2011 at 3:54 AM, Stephen Gallagher
<sgallagh(a)redhat.com> wrote:
...snip...
> Ok, so now that we know we have a patch to accomplish this... we have to
> ask ourselves this question: are we willing to push this upstream, or
> should we stick to the principles we've maintained up to this point?
>
> - --
> Stephen Gallagher
I actually agree with JR here. If a user is too lazy to setup ldap
certs for a specific server, they can simply set:
ldap_tls_reqcert = never
If they are too lazy to make their ldap servers support ldaps, they
shouldn't be running an ldap server. This seems most appropriate to
put the patch on bugzilla and then CLOSEDWONTFIX.
I am sorry, but I have to disagree.
We are not going to help anyone to use this option. In fact it will not
be documented and it is obnoxious as it causes a lot of syslog messages.
But I do not see any problem in allowing someone that really, really
need it to use it. I am all for providing tools to avoid shooting at one
owns feet, but defaults, and strong recommendations are all we need to
provide IMO.
After all if someone really want to send passwords in the clear they can
always use a different client that allows them to do so and we will have
gained nothing by forcing someone out.
Simo.
--
Simo Sorce * Red Hat, Inc * New York