Some LDAP configurations require STARTTLS, like the Gentoo infrastructure one. Add a new configuration file to do it. Signed-off-by: Robin H. Johnson diff -Nuar nsscache-0.8.3.orig/nss_cache/sources/ldapsource.py nsscache-0.8.3/nss_cache/sources/ldapsource.py --- nsscache-0.8.3.orig/nss_cache/sources/ldapsource.py 2008-09-08 18:31:58.000000000 -0700 +++ nsscache-0.8.3/nss_cache/sources/ldapsource.py 2009-05-24 16:50:59.579112740 -0700 @@ -76,6 +76,8 @@ self.conn = rlo(uri=conf['uri'], retry_max=conf['retry_max'], retry_delay=conf['retry_delay']) + if conf['tls_starttls'] == 1: + self.conn.start_tls_s() else: self.conn = conn @@ -107,6 +109,8 @@ configuration['tls_cacertdir'] = self.TLS_CACERTDIR if not 'tls_cacertfile' in configuration: configuration['tls_cacertfile'] = self.TLS_CACERTFILE + if not 'tls_starttls' in configuration: + configuration['tls_starttls'] = 0 # Translate tls_require into appropriate constant, if necessary. if configuration['tls_require_cert'] == 'never': @@ -120,6 +124,13 @@ elif configuration['tls_require_cert'] == 'try': configuration['tls_require_cert'] = ldap.OPT_X_TLS_TRY + # Should we issue STARTTLS? + if configuration['tls_starttls'] in (1, '1', 'on', 'yes', 'true'): + configuration['tls_starttls'] = 1 + #if not configuration['tls_starttls']: + else: + configuration['tls_starttls'] = 0 + # Setting global ldap defaults. ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, configuration['tls_require_cert']) diff -Nuar nsscache-0.8.3.orig/nsscache.conf nsscache-0.8.3/nsscache.conf --- nsscache-0.8.3.orig/nsscache.conf 2008-09-08 18:31:58.000000000 -0700 +++ nsscache-0.8.3/nsscache.conf 2009-05-24 16:51:25.468374563 -0700 @@ -70,6 +70,9 @@ # Default filename for trusted CAs #ldap_tls_cacertfile = '/usr/share/ssl/cert.pem' +# Should we issue STARTTLS? +# ldap_tls_starttls = 1 + ## # nssdb module defaults