[Fedora-directory-users] FDS / PAM Integration Questions

[Jonathan Schreiter]

> 2) I've setup a second FDS to be act as a consumer (single master replication).  I've followed the administator's documentation and set a simple cn=replication manager, cn=config on both servers to act as the bind for replication (via replication agreement).  I've tested this and everything is working great (directory entries, GSSAPI, etc).  I would imagine that when the replication binds, the password is sent in clear text.  Is this true?  If I create a new user in the cn=config and create a new sasl mapping (uid=\1,cn=config) can I simply create a kerberos principal with the same name and use GSSAPI for the bind?  The same question as #1 above is will this session be encrypted via GSSAPI as well?
>   
Server to server GSSAPI does not currently work.  If you don't want to 
send unencrypted clear text passwords over the wire, your best bet is to 
set up SSL between the servers.


Hi Richard,
I've created a CA using openssl and installed the cacert on both FDS servers.  I've then requested certificates from both servers, created certificates using the CA, and installed.  I then enabled SSL on both servers and reset them.  I deleted my old replication and created a new one that's identical except I've checked "Using encrypted SSL connection".  I'm still using a Simple Authentication with uid=RManager,cn=config and password.  The replication works great.

Is this password now sent encrypted (even though I'm not using SSL client authentication)?  I'd like to keep this as simple as possible and didn't want to deal with client certificates at this point because I'm using GSSAPI.  

Thanks again for all your help.

Regards,
Jonathan