Comment 12 for bug 1905790
Revision history for this message
| Marco Trevisan (TreviƱo) (3v1n0) wrote Re: [Bug 1905790] Re: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child | #12 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
> This does raise a question as to why we don't provide a system nssdb. I
> think we should. I wonder if libnss or libnss3-tools could ship ca-
> certificates hook to provide a system nssdb certificate store.
I don't think it makes much sense at this point as most of the tools
that were depending on NSS are leaving it anyways (curl, sssd...) and
even Fedora is trying to get rid the usage of libnss completely and only
support one crypto backend.
So, I was thinking of doing that and it could be a possibility, but
wouldn't still be a futurable solution as we'd regress in next LTS, and
so we'd end up providing a solution for this LTS (for something that we
didn't support so far) that is going to be broken in the next version.
And I don't think it's a professional thing to ask our users to setup
something and reconfigure it at next mayor update when we can start with
the right foot now.
> If we are changing backends, and certs were provided for the nss
> backend, imho we should automatically convert them and keep them active
> for the openssl backend. However unlikely it is that somebody made nss-
> based p11_child work.
Yeah, as I said isn't hard to do... The only problem I see is that the
postinst script for NSS should depend on libnss3-tools (if we don't
write us something in C that is shipped with SSSD) in order to read the
certs and export them to the OpenSSL chain.
As you said, it's quite unlikely, but could happen.
> Actually, I don't see sssd at all using TLS connections, does it? It
> seems that to perform ldaps connections, it uses libldap from openldap
> which in turn uses GnuTLS. And any and all TLS LDAPS options are simply
> passed through to the libldap.
I had this feeling too, both looking at the code and at the various logs
I found around, where I noticed that connection was handled differently,
but not being the maximum expert here, I preferred not to talk. So happy
you say so.
> Inspecting all sssd binary packages I can see that only p11_child is the
> only one using libssl and that does not do TLS.
Yeah, exactly... It does only certs management basically.
> Thus changing nss => openssl backend should be immaterial to what sssd
> uses from them.
Ok, good to hear.
> I don't know how to configure p11_child but I do have
> smartcard reader and multiple smartcards so happy to test things =)
I wrote a bit of hints in this document, should help:
https:/