[389-devel] Re: please review: Replication Status Message Improvements
Mark Reynolds wrote: > > On 6/12/19 11:41 AM, Rob Crittenden wrote: >> Mark Reynolds wrote: >>> http://www.port389.org/docs/389ds/design/repl-agmt-status-design.html >> conn_error is 0 in all the examples. What would this be used for? > Well there are two type of errors that can occur. One is a replication > error (missing CSN, replica busy, etc), and the other type is a > connection/LDAP failure (can not contact server, invalid credentials, no > such object, etc). This is just how its currently designed in the code, > so I carried it forward into the JSON object. Ok. What about compatibility with older versions of 389-ds, particularly tools that read replication status? Are they going to blow up with the new status format? rob ___ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
[389-devel] Re: please review: Replication Status Message Improvements
Mark Reynolds wrote: > http://www.port389.org/docs/389ds/design/repl-agmt-status-design.html conn_error is 0 in all the examples. What would this be used for? Otherwise this looks ok to me. I assume we'll need to do coordinate releases with IPA so the new format can be handled properly? I guess once the design is firmed up we can start on the IPA side and hopefully handle both styles of messages. rob ___ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
[389-devel] Re: Urgent review: 49041 ssl fails to start on f24
William Brown wrote: > Any advice would be greatly appreciated... >>> My curiosity is only around how William found this bug in the first >>> place and what makes it so urgent. >> Ok. Thanks, Rob! Yes, I'm curious, too. :) > > Please see > > https://fedorahosted.org/389/ticket/49041#comment:3 > > The issue is *clearly* a DS behavioural bug where we do NOT detect the > presence of the sqlite formatted DB correctly. We then incorrectly > create invalid BDB files, and it "masks" the SQL format from the server > start up. > > As a result, after a server restart your certificates "vanish" and SSL > fails to start. (They are still in key4/cert9, but key3/cert8 are broken > and used preferentially). > > That's why it's urgent ;) I still don't get it but I'll move the discussion to the ticket. rob ___ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
[389-devel] Re: Urgent review: 49041 ssl fails to start on f24
Noriko Hosoi wrote: > On 11/17/2016 06:36 AM, Rob Crittenden wrote: >> William Brown wrote: >>> https://fedorahosted.org/389/ticket/49041 >>> >>> https://fedorahosted.org/389/attachment/ticket/49041/0001-Ticket-49041-SSL-fails-to-start-due-to-NSS-db-versio.patch >>> >>> >>> I think this should be reviewed urgently and backported. This can cause >>> SSL to fail to start on F24 and higher without explanation. >> key4.db and cert9.db are the sqlite databases. Does 389-ds support >> specifying sql:/path/to/database/dir? >> >> rob >> ___ >> 389-devel mailing list -- 389-devel@lists.fedoraproject.org >> To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org > > We have a plan to switch [1] but when we discussed in the team, we > concluded it was not urgent. I don't think NSS stops supporting the old > BDB format very soon? My question revolves around how likely this is to happen to make it urgent. If 389-ds doesn't support sqlite databases then how are key4/cert9 files going to end up being created? Or is sqlite now the default format for the NSS utilities so merely using certutil would generate them? rob ___ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
[389-devel] Re: Urgent review: 49041 ssl fails to start on f24
William Brown wrote: > https://fedorahosted.org/389/ticket/49041 > > https://fedorahosted.org/389/attachment/ticket/49041/0001-Ticket-49041-SSL-fails-to-start-due-to-NSS-db-versio.patch > > I think this should be reviewed urgently and backported. This can cause > SSL to fail to start on F24 and higher without explanation. key4.db and cert9.db are the sqlite databases. Does 389-ds support specifying sql:/path/to/database/dir? rob ___ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
[389-devel] Re: Please review: 48798 All DS to offer weaker dh params optionally.
William Brown wrote: https://fedorahosted.org/389/ticket/48798 https://fedorahosted.org/389/attachment/ticket/48798/0001-Ticket-48798-Enable-DS-to-offer-weaker-DH-params-in-.patch https://fedorahosted.org/389/attachment/ticket/48798/0001-Ticket-48798-lib389-add-ability-to-create-nss-ca-and.patch I don't understand why you are linking enabling weak DH params with enabling DHE on the server side, or are you just forcing server-side DH if the weak params are enabled? Is there some other switch to enable server-side DH too? What about the managing the DH ciphers? You should check for the existence of SSL_ENABLE_SERVER_DHE if you want to be able to build with older NSS. In the second patch there is no context why creating your own CA is linked in any way with testing DH params, plus the "This is a trick" code is duplicated between the patches. I think I'd just revise the commit message on the second patch saying it is code to generate an RSA CA and leave it at that. There is a comment that the "shipped" NSS db is broken but no explanation of how. rob -- 389-devel mailing list 389-devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/389-devel@lists.fedoraproject.org
Re: [389-devel] please review: Ticket 48335 - lib389 - Add support for SASL and TLS
Mark Reynolds wrote: > https://fedorahosted.org/389/ticket/48335 > > https://fedorahosted.org/389/attachment/ticket/48335/0001-Ticket-48335-Add-SASL-support-to-lib389.patch > > -- > 389-devel mailing list > 389-devel@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-devel It looks like the only saslmethod support is gssapi. I think I'd document that in the method header. What about autobind? Should that be supported as well? rob -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
Re: [389-devel] jss/ldapjdk source
Michele Baldessari wrote: Hi all, some time ago the sources for jss could be found here: http://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/ Now they seem to have disappeared. Anyone know if they're in some branch over at hg.mozilla.org? Similar question for ldapjdk. It used to be available through the following command: cvs -d :pserver:anonym...@cvs-mirror.mozilla.org:/cvsroot co -rLDAPJavaSDK_418 DirectorySDKSourceJava This still works, but I wonder if that is still to be considered the official upstream. Thanks, I've been complaining to the Mozilla guys for a while about the lack of jss tarballs and haven't gotten anywhere. I pull jss with: cvs -d :pserver:anonym...@cvs-mirror.mozilla.org:/cvsroot export -r JSS_4_2_6_RTM -d jss-4.2.6 -N mozilla/security/coreconf mozilla/security/jss I don't know about the ldapjdk source. rob -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
