Jonathan Schreiter wrote:
Yes. Client auth is if you want, in addition to SSL traffic encryption, to get rid of passwords and use your certificate for authentication.Server to server GSSAPI does not currently work. If you don't want to send unencrypted clear text passwords over the wire, your best bet is to set up SSL between the servers.2) I've setup a second FDS to be act as a consumer (single master replication). I've followed the administator's documentation and set a simple cn=replication manager, cn=config on both servers to act as the bind for replication (via replication agreement). I've tested this and everything is working great (directory entries, GSSAPI, etc). I would imagine that when the replication binds, the password is sent in clear text. Is this true? If I create a new user in the cn=config and create a new sasl mapping (uid=\1,cn=config) can I simply create a kerberos principal with the same name and use GSSAPI for the bind? The same question as #1 above is will this session be encrypted via GSSAPI as well?Hi Richard, I've created a CA using openssl and installed the cacert on both FDS servers. I've then requested certificates from both servers, created certificates using the CA, and installed. I then enabled SSL on both servers and reset them. I deleted my old replication and created a new one that's identical except I've checked "Using encrypted SSL connection". I'm still using a Simple Authentication with uid=RManager,cn=config and password. The replication works great. Is this password now sent encrypted (even though I'm not using SSL client authentication)?
I'd like to keep this as simple as possible and didn't want to deal with client certificates at this point because I'm using GSSAPI.Thanks again for all your help. Regards, Jonathan -- Fedora-directory-users mailing list Fedora-directory-users redhat com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Description: S/MIME Cryptographic Signature