[389-devel] 389 DS nightly 2020-11-12 - 94% PASS

2020-11-11 Thread vashirov 
https://fedorapeople.org/groups/389ds/ci/nightly/2020/11/12/report-389-ds-base-2.0.1-20201112gitca8ac8e.fc32.x86_64.html
___
389-devel mailing list -- 389-devel@lists.fedoraproject.org
To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org

[389-devel] Re: Question on cloning and replication . . .

2020-11-11 Thread William Brown 


> On 11 Nov 2020, at 12:17, Matthew Harmsen  wrote:
> 
> Everyone,
> 
> I received the following from a community member who is using Dogtag and 389:
> 
> I have 2 questions and 1 note.
> 
> Note:
> Here is an interesting thing that I noticed during CA cloning:
> When CA to be cloned has secure connection DS enabled, cloning process fails.
> None of docs:
>   • https://www.dogtagpki.org/wiki/PKI_10.5_Installing_CA_Clone
>   • 
> https://github.com/dogtagpki/pki/blob/DOGTAG_10_6_BRANCH/docs/installation/Installing_CA_Clone.md
>   • 
> https://github.com/dogtagpki/pki/blob/master/docs/installation/ca/Installing_CA_Clone.md
> is covering this issue.
> Solution here is to use 
> pki_clone_replication_master_port=389
> pki_clone_replication_clone_port=389
> pki_clone_replication_security=None
> https://github.com/dogtagpki/pki/blob/DOGTAG_10_5_BRANCH/base/server/etc/default.cfg#L255
> 
> 
> Question 1 (sorry, bit long):
> When CA is cloned both DS servers have nsslapd-referral attribute set in dn: 
> cn=o\3Dpki-tomcat-CA,cn=mapping tree,cn=config entries
> so DS on vm-users4.hostname.com
> would have 
> dn: cn=o\3Dpki-tomcat-CA,cn=mapping tree,cn=config
> nsslapd-referral: ldap://vm-users3.hostname.com:389/o%3Dpki-tomcat-CA
> and DS on vm-users3.hostname.com
> dn: cn=o\3Dpki-tomcat-CA,cn=mapping tree,cn=config
> nsslapd-referral: ldap://vm-users4.hostname.com:389/o%3Dpki-tomcat-CA
> I wonder what is the meaning of nsslapd-referral attribute?

It's so that while the server is "offline" and receiving data, it can redirect 
clients to other nodes in the topology. 

> 
> The reason I'm asking is that I was thinking that for replication over SSL 
> maybe nsslapd-referral should be modified
> from  ldap://vm-users4.hostname.com:389/o%3Dpki-tomcat-CA
> to  ldaps://vm-users4.hostname.com:636/o%3Dpki-tomcat-CA
> but when I did this nsslapd-referral attribute was reverted to original value 
> by DS automatically,
> so I'm trying to make sure if nsslapd-referral attribute should be left 
> unchanged during enabling of SSL to DS replication?
> 
> Just in case here is a sample of all changes on both DS (hopefully, I didn't 
> miss anything to have properly configured replication over SSL):
> vm-users4.hostname.com:
> 
> dn: cn=config
> nsslapd-security: on
> 
> dn: cn=RSA,cn=encryption,cn=config
> nsSSLPersonalitySSL: slapd-vm-users4
> nsSSLToken: internal (software)
> nsSSLActivation: on
> 
> dn: cn=o\3Dpki-tomcat-CA,cn=mapping tree,cn=config
> nsslapd-referral: ldap://vm-users3.hostname.com:389/o%3Dpki-tomcat-CA
> 
> dn: 
> cn=cloneAgreement1-vm-users4.hostname.com-pki-tomcat,cn=replica,cn=o\3Dpki-tomcat-CA,cn=mapping
>  tree,cn=config
> nsDS5ReplicaPort: 636
> nsDS5ReplicaTransportInfo: SSL
> 
> 
> vm-users3.hostname.com:
> 
> dn: cn=config
> nsslapd-security: on
> 
> dn: cn=RSA,cn=encryption,cn=config
> nsSSLPersonalitySSL: slapd-vm-users3
> nsSSLToken: internal (software)
> nsSSLActivation: on
> 
> dn: cn=o\3Dpki-tomcat-CA,cn=mapping tree,cn=config
> nsslapd-referral: ldap://vm-users4.hostname.com:389/o%3Dpki-tomcat-CA
> 
> dn: 
> cn=masterAgreement1-vm-users4.hostname.com-pki-tomcat,cn=replica,cn=o\3Dpki-tomcat-CA,cn=mapping
>  tree,cn=config
> nsDS5ReplicaPort: 636
> nsDS5ReplicaTransportInfo: SSL

I'm not sure here, it could be a bug as we should redirect to TLS ports if 
possible, but I guess it also depends on how the client connects too . 
Generally a lot of clients don't follow referrals *anyway* so the whole this is 
a bit moot. 

> 
> 
> Question 2:
> DS has so called "SSF Restrictions" 
> (https://directory.fedoraproject.org/docs/389ds/howto/howto-use-ssf-restrictions.html}
> which may be configured by setting nsslapd-minssf attribute in cn=config 
> entry.
> Default value of nsslapd-minssf attribute is 0. W
> Minimum SSF configuration setting can be used to define the minimum level of 
> encryption that is required.
> 
> Do you know what this means?
> Should I be concerned?

SSF restrictions are a bit of a joke. You probably should leave them alone. 
They are intended to force connections to require encryption, but they don't 
actually provide meaningful security improvements since the info disclosures 
happen *before* the ssf check can kick in due to bind being the first op in any 
connection.

https://fy.blackhats.net.au/blog/html/2016/11/23/the_minssf_trap.html?highlight=minssf

A better option if you are security conscious is to set the nsslapd-port to 0 
and only use the LDAPS/TLS port (startTLS has similar issues to minssf, and 
also adds extra latency and should be avoided.).

> 
> By the way, when is set nsslapd-minssf attribute to 128, DS becomes 
> inaccessible and CA is not working.
> 
> Thanks in advance for any answers,
> -- Matt




—
Sincerely,

William Brown

Senior Software Engineer, 389 Directory Server
SUSE Labs, Australia
___
389-devel mailing list --

[389-devel] Please review 4428 sigsegv in chaining.

2020-11-11 Thread William Brown 
https://github.com/389ds/389-ds-base/pull/4434

—
Sincerely,

William Brown

Senior Software Engineer, 389 Directory Server
SUSE Labs, Australia
___
389-devel mailing list -- 389-devel@lists.fedoraproject.org
To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org

[389-devel] please review: PR 4433 - After a failed online import the next imports are very slow

2020-11-11 Thread Mark Reynolds 

https://github.com/389ds/389-ds-base/pull/4433

--

389 Directory Server Development Team
___
389-devel mailing list -- 389-devel@lists.fedoraproject.org
To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org

[389-devel] Re: stable/dev branches

2020-11-11 Thread Mark Reynolds 


On 11/3/20 8:50 AM, Stanislav Levin wrote:


03.11.2020 15:58, Mark Reynolds пишет:

On 11/3/20 4:41 AM, Stanislav Levin wrote:

Hello.

Currently, I package 1.4.1 branch as the former-stable for ALTLinux.
But it is not updated since July, too stable?


1.4.x branches in upstream:

   upstream/389-ds-base-1.4.1

This is no longer being maintained

   upstream/389-ds-base-1.4.2

This branch is about to stop being maintained

   upstream/389-ds-base-1.4.3

This would be the "most" stable branch at this time.

   upstream/389-ds-base-1.4.4
   upstream/master

1.4.4 and master (2.0.0) are not "stable" and include more cutting edge
changes and features.

HTH,

Mark

It would be much appreciated such future changes will be announced at
time. I think the other distro-packagers need this information too.


We follow the Fedora release schedule:

https://fedoraproject.org/wiki/Releases?rd=Releases/

So...

F34(rawhide) --> 389-ds-base-2.0.0

F33 --> 389-ds-base-1.4.4

F32 --> 389-ds-base-1.4.3

F31 --> 389-ds-base-1.4.2

Now F31 is probably going to be EOLed sooner than later, so we will stop 
maintaining 1.4.2 at that time.



I will add something to the landing page of our wiki about this topic.

Regards,
Mark




Thank you very much!


--

389 Directory Server Development Team
___
389-devel mailing list -- 389-devel@lists.fedoraproject.org
To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org

[389-devel] please review: PR 4431 - Do not normalize escaped spaces in a DN

2020-11-11 Thread Mark Reynolds 

https://github.com/389ds/389-ds-base/pull/4431

--

389 Directory Server Development Team
___
389-devel mailing list -- 389-devel@lists.fedoraproject.org
To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org

[389-devel] please review: PR 4430 - Fix NULL dereference in cache_revert()

2020-11-11 Thread Mark Reynolds 

https://github.com/389ds/389-ds-base/pull/4430

--

389 Directory Server Development Team
___
389-devel mailing list -- 389-devel@lists.fedoraproject.org
To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org