So the other day I did a clean install of Fedora 14. Generally I just do updates, things remain largely in place as they were so I'm happy. Well after this clean install and promply realizing that NetworkManager still blows chunks and after getting that pile of trash out of my way I proceeded on to my next priority, ldap logins.

I don't really like change, usually it's for the worse with moderate benifits that mean nothing to me personally. Since things always change with Fedora I was slightly annoyed to no longer find an ldap.conf or nss_ldap.conf file in the etc directory. A quick glance at the nsswitch.conf file I discover this oh so cleverly named thing of sss. A bit more digging I get my grubby vi on its config file and tell it NO I DON'T USE SSL OR TLS FOR MY LDAP CONNECTIONS! It seems to listen.... for a moment anyway. getent happily does its little look ups, good to go, I wrongly think. Try to login. Pukeage... apparently it's trying to do TLS, cause it's wrong to send password in the clear. After screaming, "WHO ASKED YOU WHAT'S RIGHT OR WRONG FOR MY METHODS OF DOING THINGS!!!" I hit up the google.

Some more grumbling about idiot developers for 'free' software who have no concept of freedom (freedom to be stupid) I come across a handy dandy mailing list post. It seems one of them did realize that freedom is about letting other people do stupid stuff. I did glance through the chain and there was the typical elitist attitude of 'my idea of what you should do is the only right idea' but in the end cooler heads prevailed and realized that you let stupid people be stupid or they'll find something that will let them be stupid. (yes, I was moments away from uninstalling it and going back to nss_ldap and pam_ldap and living the life of unencrypted password bliss)

So, thank you Stephen Gallagher and your option of ldap_auth_disable_tls_never_use_in_production!