[Fedora-directory-users] FDS / PAM Integration Questions

Richard Megginson rmeggins at redhat.com
Mon Feb 5 16:48:21 UTC 2007 

Jonathan Schreiter wrote:
>> 2) I've setup a second FDS to be act as a consumer (single master replication).  I've followed the administator's documentation and set a simple cn=replication manager, cn=config on both servers to act as the bind for replication (via replication agreement).  I've tested this and everything is working great (directory entries, GSSAPI, etc).  I would imagine that when the replication binds, the password is sent in clear text.  Is this true?  If I create a new user in the cn=config and create a new sasl mapping (uid=\1,cn=config) can I simply create a kerberos principal with the same name and use GSSAPI for the bind?  The same question as #1 above is will this session be encrypted via GSSAPI as well?
>>   
>>     
> Server to server GSSAPI does not currently work.  If you don't want to 
> send unencrypted clear text passwords over the wire, your best bet is to 
> set up SSL between the servers.
>
>
> Hi Richard,
> I've created a CA using openssl and installed the cacert on both FDS servers.  I've then requested certificates from both servers, created certificates using the CA, and installed.  I then enabled SSL on both servers and reset them.  I deleted my old replication and created a new one that's identical except I've checked "Using encrypted SSL connection".  I'm still using a Simple Authentication with uid=RManager,cn=config and password.  The replication works great.
>
> Is this password now sent encrypted (even though I'm not using SSL client authentication)?
Yes.  Client auth is if you want, in addition to SSL traffic encryption, 
to get rid of passwords and use your certificate for authentication.
> I'd like to keep this as simple as possible and didn't want to deal with client certificates at this point because I'm using GSSAPI.  
>
> Thanks again for all your help.
>
> Regards,
> Jonathan
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20070205/cc740f11/attachment.bin>

More information about the Fedora-directory-users mailing list