lvps
commented
7 months ago Hi, thanks for the PRs
Contrary what you wrote in one of the comments in the code, on my system LDAPI traffic was not encrypted (I see no reason why it should be). I think that in general, if LDAPI is available, using it is faster and more secure than using the TCP socket.
The problem was that, if you have a minimum SSF > 0, 389DS expects every communication to be encrypted, including LDAPI which cannot be encrypted. If you have a minimum SSF and did not encounter this problem, maybe this has been fixed by 389DS in the last 5 years so for me it's ok to change, unless it's a really recent fix. Which 389DS version or OS version did you test your changes on?
This would only matter if the currently configured socket path is different from the configuration in ansible.
I think it's unlikely that anyone changes that, so it should be fine to assume the default one, but wouldn't it be possible to also let users set the URI with a variable, and use the default one only if it's not set?
mwilck
I recently tried to recover from a problem with an expired TLS certificate. I wasn't able to run the 389ds-server role because it would try to connect via TLS, which was always failing.
Contrary what you wrote in one of the comments in the code, on my system LDAPI traffic was not encrypted (I see no reason why it should be). I think that in general, if LDAPI is available, using it is faster and more secure than using the TCP socket.
This patch set checks if LDAPI is availbale, and if yes, uses it. It could be further improved by extracting the path of the ldapi socket from
dse.ldifand use it for connection attempts. This would only matter if the currently configured socket path is different from the configuration in ansible. It's a corner case which I'd like to postpone to a later patch set.I apologize for the many PRs, I've been using your code for a while and thought it might be time to try to contribute back.