[Pki-devel] [PATCH] Allow use of secure LDAPS connection

Ade Lee alee at redhat.com
Fri Mar 13 19:06:37 UTC 2015 

The code changes look fine.  ACK on those.

I have some questions about the changes to the man pages.

First, as mentioned on #irc, pki_security_domain_password should not be
in the example for the default CA case.

Now, I think it is important to state the context of this feature in the
man page.

This could be:
* We have a DS that talks LDAPS already, and we need to talk to this DS
using LDAPS.  It has a CA cert file that is issued by some other CA.

* We want to talk to the DS using LDAPS and we want to use the CA cert
generated by this CA (once installed) to issue the SSL cert for the DS.
We do not need to talk securely during the installation.  In this case,
you configure the CA using LDAP port first, and then issue a SSL cert
for the DS, install and reconfigure the CA.

* We have to talk to the DS using LDAPS and we want to use the CA cert
for this CA (once installed) to issue the SSL cert for the DS.  We also
need to be able to talk securely during the installation.  In this case,
you configure the DS with a temporary self signed cert (as you described
in the man page), then install the CA and swap things out post-install.

Also, the formatting for man page is a little weird in that the
paragraphs following your section on installing using ldaps appear to be
part of that section (when they are not).  I'm talking about the
paragraph that starts: 

This  invocation  of  pkispawn creates a Tomcat instance containing a CA
running on the local machine with secure port  8443  and  unsecure  port
8080.  ... 

Actually, looking more closely, I think you inserted your section in the
wrong place.

Ade  
   
On Thu, 2015-03-12 at 19:33 -0600, Matthew Harmsen wrote:
> Please review the attached patch which addresses the following issue:
>       * PKI TRAC Ticket #1144 - pkispawn needs option to specify ca
>         cert for ldap
> 
> Using my Fedora 21 laptop, I was able to successfully install and
> configure a Directory Server to use LDAPS (documented procedure in
> attached 'pkispawn' man page), and was able to use the exported
> Directory Server CA certificate to successfully install and configure
> a CA using this CA certificate in conjunction with the secure
> Directory Server.
> 
> 
> I verified that the two servers were speaking TLS by
> checking /var/log/dirsrv/slapd-pki/access:
> 
> 
>       * TLS1.2 128-bit AES-GCM
> 
> Additionally, I successfully installed an OCSP subsystem into this
> shared PKI instance.
> 
> 
> For the CA, I successfully tested both non-interactive as well as
> interactive modes of pkispawn.
> 
> 
> Thanks,
> -- Matt
> 
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

More information about the Pki-devel mailing list