<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Everyone,<br>
</p>
<p>I received the following from a community member who is using
Dogtag and 389:</p>
<blockquote>
<div>I have 2 questions and 1 note.<br>
</div>
<div><br>
</div>
<div><b>Note:</b><br>
</div>
<div>Here is an interesting thing that I noticed during CA
cloning:</div>
<div>When CA to be cloned has secure connection DS enabled,
cloning process fails.</div>
<div>None of docs:<br>
<ul>
<li><a
href="https://www.dogtagpki.org/wiki/PKI_10.5_Installing_CA_Clone">https://www.dogtagpki.org/wiki/PKI_10.5_Installing_CA_Clone</a></li>
<li><a
href="https://github.com/dogtagpki/pki/blob/DOGTAG_10_6_BRANCH/docs/installation/Installing_CA_Clone.md">https://github.com/dogtagpki/pki/blob/DOGTAG_10_6_BRANCH/docs/installation/Installing_CA_Clone.md</a></li>
<li><a
href="https://github.com/dogtagpki/pki/blob/master/docs/installation/ca/Installing_CA_Clone.md">https://github.com/dogtagpki/pki/blob/master/docs/installation/ca/Installing_CA_Clone.md</a></li>
</ul>
</div>
<div>is covering this issue.</div>
<div>Solution here is to use <br>
<div style="margin-left:40px"><span
style="font-family:monospace">pki_clone_replication_master_port=389<br>
pki_clone_replication_clone_port=389<br>
pki_clone_replication_security=None</span></div>
</div>
<div><a
href="https://github.com/dogtagpki/pki/blob/DOGTAG_10_5_BRANCH/base/server/etc/default.cfg#L255">https://github.com/dogtagpki/pki/blob/DOGTAG_10_5_BRANCH/base/server/etc/default.cfg#L255</a></div>
<div><br>
</div>
<div><br>
</div>
<div><b>Question 1 (sorry, bit long):</b><br>
</div>
<div>When CA is cloned both DS servers have <b><span
style="font-family:monospace">nsslapd-referral </span></b>attribute
set in dn: <b><span style="font-family:monospace">cn=o\3Dpki-tomcat-CA,cn=mapping
tree,cn=config</span></b> entries</div>
<div>so DS on <a href="http://vm-awnuk4.hostname.com">vm-users4.hostname.com</a></div>
<div>would have <br>
</div>
<div style="margin-left:40px"><b><span
style="font-family:monospace">dn:
cn=o\3Dpki-tomcat-CA,cn=mapping tree,cn=config<br>
nsslapd-referral: <a class="moz-txt-link-freetext">ldap://</a><a
href="http://vm-awnuk3.hostname.com:389/o%3Dpki-tomcat-CA">vm-users3.hostname.com:389/o%3Dpki-tomcat-CA</a></span></b></div>
<div>and DS on <a href="http://vm-awnuk3.hostname.com">vm-users3.hostname.com</a></div>
<div style="margin-left:40px"><b><span
style="font-family:monospace">dn:
cn=o\3Dpki-tomcat-CA,cn=mapping tree,cn=config<br>
nsslapd-referral: <a class="moz-txt-link-freetext">ldap://</a><a
href="http://vm-awnuk4.hostname.com:389/o%3Dpki-tomcat-CA">vm-users4.hostname.com:389/o%3Dpki-tomcat-CA</a></span></b></div>
<div><b>I wonder what is the meaning of nsslapd-referral
attribute?</b></div>
<b> </b>
<div><br>
</div>
<div>The reason I'm asking is that I was thinking that for
replication over SSL maybe nsslapd-referral should be modified</div>
<div style="margin-left:40px"> from <b><span
style="font-family:monospace"><a
class="moz-txt-link-freetext">ldap://</a><a
href="http://vm-awnuk4.hostname.com:389/o%3Dpki-tomcat-CA">vm-users4.hostname.com:389/o%3Dpki-tomcat-CA</a></span></b></div>
<div style="margin-left:40px">to <b><span
style="font-family:monospace"><a
class="moz-txt-link-freetext">ldaps://</a><a
href="http://vm-awnuk4.hostname.com:636/o%3Dpki-tomcat-CA">vm-users4.hostname.com:636/o%3Dpki-tomcat-CA</a></span></b></div>
<div>but when I did this nsslapd-referral attribute was reverted
to original value by DS automatically,</div>
<div><b>so I'm trying to make sure </b><b>if nsslapd-referral
attribute should be left unchanged during enabling of SSL to
DS replication?</b></div>
<div><br>
</div>
<div>Just in case here is a sample of all changes on both DS
(hopefully, I didn't miss anything to have properly configured
replication over SSL):</div>
<div>
<div style="margin-left:40px"><span
style="font-family:monospace"><a
href="http://vm-awnuk4.hostname.com">vm-users4.hostname.com</a>:</span><br>
<span style="font-family:monospace"></span>------------------------------------<br>
<span style="font-family:monospace">dn: cn=config</span><br>
<span style="font-family:monospace">nsslapd-security: on</span><br>
<span style="font-family:monospace"></span><br>
<span style="font-family:monospace">dn:
cn=RSA,cn=encryption,cn=config</span><br>
<span style="font-family:monospace">nsSSLPersonalitySSL:
slapd-vm-users4</span><br>
<span style="font-family:monospace">nsSSLToken: internal
(software)</span><br>
<span style="font-family:monospace">nsSSLActivation: on</span><br>
<span style="font-family:monospace"></span><br>
<span style="font-family:monospace">dn:
cn=o\3Dpki-tomcat-CA,cn=mapping tree,cn=config</span><br>
<span style="font-family:monospace">nsslapd-referral: <a
class="moz-txt-link-freetext">ldap://</a><a
href="http://vm-awnuk3.hostname.com:389/o%3Dpki-tomcat-CA">vm-users3.hostname.com:389/o%3Dpki-tomcat-CA</a></span><br>
<span style="font-family:monospace"></span><br>
<span style="font-family:monospace">dn:
cn=cloneAgreement1-vm-users4.hostname.com-pki-tomcat,cn=replica,cn=</span><span
style="font-family:monospace">o\3Dpki-tomcat-CA,cn=mapping
tree,cn=config</span><br>
<span style="font-family:monospace">nsDS5ReplicaPort: 636</span><br>
<span style="font-family:monospace">nsDS5ReplicaTransportInfo:
SSL</span><br>
</div>
<div style="margin-left:40px"><span
style="font-family:monospace"></span></div>
<br>
<br>
<div style="margin-left:40px"><span
style="font-family:monospace"><a
href="http://vm-awnuk3.hostname.com">vm-users3.hostname.com</a>:</span><br>
<span style="font-family:monospace"></span>------------------------------------<br>
<span style="font-family:monospace">dn: cn=config</span><br>
<span style="font-family:monospace">nsslapd-security: on</span><br>
<span style="font-family:monospace"></span><br>
<span style="font-family:monospace">dn:
cn=RSA,cn=encryption,cn=config</span><br>
<span style="font-family:monospace">nsSSLPersonalitySSL:
slapd-vm-users3</span><br>
<span style="font-family:monospace">nsSSLToken: internal
(software)</span><br>
<span style="font-family:monospace">nsSSLActivation: on</span><br>
<span style="font-family:monospace"></span><br>
<span style="font-family:monospace">dn:
cn=o\3Dpki-tomcat-CA,cn=mapping tree,cn=config</span><br>
<span style="font-family:monospace">nsslapd-referral: <a
class="moz-txt-link-freetext">ldap://</a><a
href="http://vm-awnuk4.hostname.com:389/o%3Dpki-tomcat-CA">vm-users4.hostname.com:389/o%3Dpki-tomcat-CA</a></span><br>
<span style="font-family:monospace"></span><br>
<span style="font-family:monospace">dn:
cn=masterAgreement1-vm-users4.hostname.com-pki-tomcat,cn=replica,cn</span><span
style="font-family:monospace">=o\3Dpki-tomcat-CA,cn=mapping
tree,cn=config</span><br>
<span style="font-family:monospace">nsDS5ReplicaPort: 636</span><br>
<span style="font-family:monospace">nsDS5ReplicaTransportInfo:
SSL</span><br>
</div>
</div>
<br>
<div><br>
</div>
<div><b>Question 2:</b></div>
<div> DS has so called "SSF Restrictions" (<a
href="https://directory.fedoraproject.org/docs/389ds/howto/howto-use-ssf-restrictions.html">https://directory.fedoraproject.org/docs/389ds/howto/howto-use-ssf-restrictions.html</a>}<br>
</div>
<div>which may be configured by setting <b><span
style="font-family:monospace">nsslapd-minssf</span></b>
attribute in <b><span style="font-family:monospace">cn=config</span></b>
entry.</div>
<div>Default value of <b><span style="font-family:monospace">nsslapd-minssf</span></b>
attribute is 0. W<br>
</div>
<div>
<div>Minimum SSF configuration setting can be used to define the
minimum level of encryption that is required.</div>
<div><br>
</div>
</div>
<div><b>Do you know what this means?</b></div>
<b> </b>
<div><b>Should I be concerned?</b></div>
<div><br>
</div>
<div>By the way, when is set <b><span
style="font-family:monospace">nsslapd-minssf</span></b>
attribute to <b><span style="font-family:monospace">128</span></b>,
DS becomes inaccessible and CA is not working.</div>
<div><br>
</div>
</blockquote>
<div>Thanks in advance for any answers,<br>
-- Matt</div>
<div><br>
</div>
</body>
</html>