Jonathan Schreiter wrote:
> 2) I've setup a second FDS to be act as a consumer (single
master replication). I've followed the administator's documentation and set a
simple cn=replication manager, cn=config on both servers to act as the bind for
replication (via replication agreement). I've tested this and everything is working
great (directory entries, GSSAPI, etc). I would imagine that when the replication binds,
the password is sent in clear text. Is this true? If I create a new user in the
cn=config and create a new sasl mapping (uid=\1,cn=config) can I simply create a kerberos
principal with the same name and use GSSAPI for the bind? The same question as #1 above
is will this session be encrypted via GSSAPI as well?
>
>
Server to server GSSAPI does not currently work. If you don't want to
send unencrypted clear text passwords over the wire, your best bet is to
set up SSL between the servers.
Hi Richard,
I've created a CA using openssl and installed the cacert on both FDS servers.
I've then requested certificates from both servers, created certificates using the CA,
and installed. I then enabled SSL on both servers and reset them. I deleted my old
replication and created a new one that's identical except I've checked "Using
encrypted SSL connection". I'm still using a Simple Authentication with
uid=RManager,cn=config and password. The replication works great.
Is this password now sent encrypted (even though I'm not using SSL client
authentication)?
Yes. Client auth is if you want, in addition to SSL traffic
encryption,
to get rid of passwords and use your certificate for authentication.
I'd like to keep this as simple as possible and didn't want
to deal with client certificates at this point because I'm using GSSAPI.
Thanks again for all your help.
Regards,
Jonathan
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users