On 10/08/2015 08:59 AM, Karel Lang AFD wrote:
Hello Rich and all,
thanks for the extra work and concern.
In comment to your reply (see below your text):
On 10/08/2015 02:00 PM, 389-users-request@xxxxxxxxxxxxxxxxxxxxxxx wrote:
> Message: 2
> Date: Wed, 7 Oct 2015 08:56:25 -0400
> From: Rich Megginson<rmeggins@xxxxxxxxxx>
> To:389-users@xxxxxxxxxxxxxxxxxxxxxxx
> Subject: Re: 389-users Digest, Vol 125, Issue 3
> Message-ID:<56151679.40802@xxxxxxxxxx>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> On 10/07/2015 08:34 AM, Karel Lang AFD wrote:
>>
>It is solved, problem is the script, that is recommended by fedora
>wiki (setupssl2.sh) as a way for automatic SSL generation for 389-DS
>server, is not suitable for setting up multimaster, nor master/slave
>scenarios.
Correct. It is for single server self signed scenarios (e.g. testing,
not production). You really need a "real" CA in order to issue multiple
certs for multiple servers.
If that is not clear from the docs, please let us know.
Regarding howto on fedora wiki:
originally i went according to this wiki fedora doc:
http://directory.fedoraproject.org/wiki/Howto:SSL
but it was moved - i guess here:
http://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html
I got there by going here:
http://directory.fedoraproject.org/docs/389ds/documentation.html
and then
"FAQ’s, Tech Docs" -> and then "How To’s" -> "How to Setup TLS/SSL"
And there is the link on the setupssl2.sh script. But the description
of the script is just along the lines, that it will generate the SSL
CA cert and server certs for you.
So maybe it would be good to add a sentence there, about it's
usability only for single server and not in multimaster or
master/slave scenarios.
Ok, try this: http://www.port389.org/docs/389ds/howto/howto-ssl.html
Generally speaking, i think that the Docs on wiki are great, there is
lots 'howtos' there and all helpfull links to extensive RHEL
documentations etc...
But i think, all that docs can be (IMHO) overwhelming if LDAP newb
comes 1st here and needs a 'quick' way to get 'overall picture' and
to start playing with it. There is so much detailed stuff here (which
is good) but where start 1st? :-)
But i dont want to criticize or something, as it is an 'easy road' and
i appreciate all the hardwork the community does!
I think, if we had a kind of 'learn by example' guide, where there
would be shown a fast way howto setup the 389-ds on Fedora or RHEL on
*real life-like scenario*, it would be very helpful for LDAP newbs
(just like me) :-).
Contributions are welcome.
There you would go through install/configure/ and 1st administrative
steps quickly with links to other extensive documents at wiki (for
detail reading in case ldap newb has no clue)...
That's sort of what freeipa.org is for - to greatly simplify the
installation, configuration, and maintenance of 389 when used in
conjunction with SSL, Kerberos, DNS, and Windows.
Thank you guys, you all rock! :-)
Karel
So as conclusion, script is OK for testing purposes and quick server
>setups, but not really for live or more complicated scenarios.
>
>But anyway kudos to anyone who wrote it, because i 'gutted' it in
>order to better understand the whole proces.
If the documentation needs to be made more clear that the intention of
setupssl2.sh is for demo/testing purposes only, please let us know.
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
