(add releng issue) |
No edit summary |
||
(3 intermediate revisions by the same user not shown) | |||
Line 35: | Line 35: | ||
<!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. --> | <!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. --> | ||
* Email: mhonek@redhat.com | * Email: mhonek@redhat.com | ||
* Release notes | * Release notes ticket: [https://pagure.io/fedora-docs/release-notes/issue/97 #97] | ||
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo) | <!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo) | ||
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address> | * FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address> | ||
Line 55: | Line 55: | ||
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development | CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development | ||
--> | --> | ||
* Tracker bug: | * Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1537259 #1537259] | ||
== Detailed Description == | == Detailed Description == | ||
Line 75: | Line 75: | ||
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)? Is a mass rebuild required? include a link to the releng issue. | <!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)? Is a mass rebuild required? include a link to the releng issue. | ||
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing, and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication --> | The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing, and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication --> | ||
** [[Fedora_Program_Management/ReleaseBlocking/Fedora{{FedoraVersionNumber|next}}|List of deliverables]]: N/A | ** [[Fedora_Program_Management/ReleaseBlocking/Fedora{{FedoraVersionNumber|next}}|List of deliverables]]: N/A | ||
<!-- Please check the list of Fedora release deliverables and list all the differences the feature brings --> | <!-- Please check the list of Fedora release deliverables and list all the differences the feature brings --> | ||
Line 139: | Line 139: | ||
<!-- [[Category:ChangePageIncomplete]] --> | <!-- [[Category:ChangePageIncomplete]] --> | ||
[[Category: | [[Category:ChangeAcceptedF28]] | ||
<!-- When your change proposal page is completed and ready for review and announcement --> | <!-- When your change proposal page is completed and ready for review and announcement --> | ||
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | <!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> |
Latest revision as of 14:55, 2 March 2018
Summary
In order to go forward with adoption of SharedSystemCertificates after this change OpenLDAP clients and server will default to use only the system-wide certificates store.
Owner
- Name: Matus Honek
- Email: mhonek@redhat.com
- Release notes ticket: #97
Current status
Detailed Description
Currently, OpenLDAP defaults to trust CA certificates located in /etc/openldap/certs
. In order to comply with SharedSystemCertificates we will remove the default explicit configuration options that point to /etc/openldap/certs
. Therefore, OpenLDAP will let its crypto library (OpenSSL) load the default CA certificates as described in the SharedSystemCertificates description. For a convenience, where possible, configuration files will contain a commentary with an explanation of the new behaviour.
Benefit to Fedora
Simplification of trust handling which is also the aim of the SharedSystemCertificates effort.
Scope
- Proposal owners: change of default shipped configuration.
- Other developers: check your application trusts whom you want it to trust
- Release engineering: [1]
- List of deliverables: N/A
- Policies and guidelines: None.
- Trademark approval: None. (not needed for this Change).
Upgrade/compatibility impact
There should be no upgrade impact at all as the only updated parts are configuration files which are not overwritten when upgraded, only .rpmnew files should appear accordingly. Therefore, only newly installed packages would ship with the changed default configuration.
How To Test
New installations should by default use what system-wide certificates store use. This means one should be able to make use of CA certificates as before but now they should be by default present in the system certificate store. When CA certificate would be migrated to the system certificate store and no explicit CA certificates location would be configured then TLS connections should behave as before.
User Experience
New installations will use the new default configuration, therefore users should alter their provisioning scripts to make use of system certificate store. Of course, explicitly setting the previous location will work as expected.
Dependencies
None.
Contingency Plan
- Contingency mechanism: Revert configuration changes.
- Contingency deadline: beta freeze.
- Blocks release? No.
- Blocks product? No.
Documentation
Follow the Features/SharedSystemCertificates with OpenSSL specifics. Related bugzilla [bug] discussing the change.
Release Notes
Default configuration does not point to /etc/openldap/certs for CA certificates any more. Instead, OpenLDAP now implicitly uses Shared System Certificates.