[Fedora-directory-users] fdstools.pm - perl module for managing replication and encryption setup

Tue Feb 24 22:11:43 UTC 2009

Hey guys,  I had been working on several scripts for fds to configure and 
monitor replication and encryption across several servers.  Well I decided to 
move the guts of those scripts into a perl module called fdstools.

What started as a NET::ldap/perl learning experience, evolved into this 
module.  It's not near feature complete,  but does work for setting up 
replication and configuring and enabling TLS/SSL on fds.  And it's my first 
attempt at a perl module,  so take it easy on me :) 

The TLS/SSL setup is just basically a glorified wrapper for certutil and 
pk12util,  perl-ified.  The replication setup is all done using ldap calls to 
the appropriate servers.

There are 3 config files (2 that you need to edit).  Default locations for all 
3 are /etc/fdstools/

fdstools.conf - system wide defaults, file locations etc.
repman.conf	- root DN specifics options for replication
serial		- file to keep track of certs handed out,  serial numbers on certs 
etc.  (generally don't touch this file,  you could break the serial number 
sequence when creating certs)

Just put the fdstools.pm module and the 2 helper scripts (repman.pl and 
setup_ssl) in the same directory.

You can do a perldoc fdstools from the same directory as the module to get 
some rudimentary docs.  I like to think I'm comment heavy,  so have a look at 
the code aswell for any details.  My perldoc-fu is lacking.

There are alot of options for the setup_ssl,  so try running with -h to get 
help and -e for a list of examples.

Hopefully it doesn't break any systems,  but if it does make sure you have 
backups of your security databases and directory server aswell as dse.ldif.

I used it to create a 2 server mmr setup with UserRoot and NetscapeRoot being 
replicated over SSL.  If you want to replicate NetscapeRoot,  you need to 
create the root suffex on the target server first.  I've included an ldif to 
help with that.  so just run 

ldapadd -x -h TARGETSERVER -D "cn=directory manager" -W -f ldif/ns.ldif

Then run the repman.pl script but tell it to use an alternate config like so.

my $blah = fdstools->new(  prompt_bindpw => "1", config => 
/etc/fdstools/repman-ns.conf" );

Remember,  if you are replicating NetscapeRoot,  you need to install the 
second server using setup-ds.pl FIRST,  then setup the replication agreements 
(and encryption if you want the agreement to be encrypted),  initialize them,  
then run register-ds-admin.pl.

Any questions/comments/complaints please let me know.

md5sum fdstools.tar.bz2
39b18c773578d58ac75be65c3efaca48  fdstools.tar.bz2

Ryan Braun
Informatics Operations
Aviation and Defence Services Division 
Chief Information Officer Branch, Environment Canada 
CIV: (204) 833-2500x2625 CSN: 257-2625  FAX: (204) 833-2524
E-Mail: Ryan.Braun at ec.gc.ca

-------------- next part --------------
A non-text attachment was scrubbed...
Name: fdstools.tar.bz2
Type: application/x-bzip-compressed-tar
Size: 15574 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20090224/141ff4ab/attachment.bin>