lvps
commented
2 years ago While I don't have time in the short term to work on this, I'd gladly accept a pull request. The extra variable is probably the best approach, just set "off" as the default.
Even better would be figuring out if this is actually needed/recommended. For example, here it's recommended: https://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html, while here it just says the default is "allowed": https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html-single/configuration_command_and_file_reference/index#nsSSLClientAuth, if leaving "allowed" has no downsides compared to "off" that task could be removed entirely.
I see nsSSLClientAuth gets turned off in tasks/configure_tls.yml. In my use case I need ssl client auth to setup replication agreements, based on host certificates (rather than user/pass). It would be nice to have an option to override this setting (maybe an extra variable: dirsrv_sslclientauth) Thanks