service: make TLS check more releaxed

Since realmd is most often the first application called to discover a domain we do not require a strict certificate check when using the ldaps port to connect to a domain controller. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
author: Sumit Bose <sbose@redhat.com> 2020-12-02 10:10:37 +0100
committer: Sumit Bose <sbose@redhat.com> 2020-12-03 12:39:05 +0100
commit: 3e4c42094c9660c710f544e31c49ff38180c7675 (patch)
tree: 73dad7a36a1caa64419dd90e5abcc1d7fade2d47 /doc
parent: d7089129b966df83f083cb56ee90f6b906971cb6 (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
index 01af62e..d7d8e5e 100644
--- a/doc/manual/realm.xml
+++ b/doc/manual/realm.xml
@@ -293,7 +293,13 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
 			which offers a comparable level of security than ldaps.
 			This option is only needed if the standard LDAP port
 			(389/tcp) is blocked by a firewall and only the LDAPS
-			port (636/tcp) is available.</para>
+			port (636/tcp) is available. Given that and to lower
+			the initial effort to discover a remote domain
+			<command>realmd</command> does not require a strict
+			certificate check. If the validation of the LDAP server
+			certificate fails <command>realmd</command> will
+			continue to setup the encrypted connection to the LDAP
+			server.</para>
 
 			<para>If this option is set to
 			<parameter>yes</parameter> <command>realmd</command>
author	Sumit Bose <sbose@redhat.com>	2020-12-02 10:10:37 +0100
committer	Sumit Bose <sbose@redhat.com>	2020-12-03 12:39:05 +0100
commit	3e4c42094c9660c710f544e31c49ff38180c7675 (patch)
tree	73dad7a36a1caa64419dd90e5abcc1d7fade2d47 /doc
parent	d7089129b966df83f083cb56ee90f6b906971cb6 (diff)