Re: Replication status commands seem to fail

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Glenn, 

In term of security,  IMHO there is no much difference:
 (on LDAPS the handshake is started when the connection is open 
   while with startTLS it is started when receiving the 1.3.6.1.4.1.1466.20037 ldap extended operation)
And once handshake is completed both connections are handled the same way until they are closed.

The main risk is that for some reason (bad configuration or user error)
 the EXT 1.3.6.1.4.1.1466.20037 operation is not sent and the bind is attempted in clear.
(Note: nsslapd-require-secure-binds prevents such bind to success but the password has still been sent in clear ... )
That said for replication there is not  much risks once the agreements are properly configured.
 
Regards
   Pierre


On Mon, Jan 4, 2021 at 7:36 PM Glenn Morris <rgm@xxxxxxxxxxxx> wrote:

Hi,

Pierre Rogier wrote:

> The connection logs probably means that a non encrypted operation was
> attempted over SSL port.

Thanks for this. Indeed, if I replace "--port=636 --conn-protocol=LDAPS"
(from "Steps to be Performed on the Supplier" in the Red Hat docs)
with "--port=389 --conn-protocol=StartTLS" when running "repl-agmt create",
then the status command reports "Replication Status: In Synchronization"
(after the first change is synced). It leaves me wondering a bit how
secure it is though...
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx


--
--

389 Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux