[389-users] Re: SSL configuration on dynamic deployments
> On 23 May 2019, at 04:15, Angel Bosch wrote: > > Hi again, > > > continuing with my automation I'm facing now the problem of SSL configuration. > > Using certificates at LB level is not recommended acording to > https://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html > sharing keys is also discouraged, so my question is if there is a way to > prepopulate NSS database with a predefined cert to fast deploy an instance. > > I my planned setup I'll have 2 masters and 2 to 10 slaves/consumers (maybe > more). > It will be extremely rare to stop or reinstall masters, but with consumers I > want the flexibility to create and destroy them at any moment. > > Is there any best practice here? I think to answer this, I'd like to see a diagram or description of the network and deployment topology you have in mind to help advise for what you want to achieve here :) > > abosch > > > > -- > ___ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: referral on update equivalent with dsconf
> On 22 May 2019, at 21:23, Angel Bosch wrote: > > replying to myself to clarify the original doubt: > > executing something like this on master1 machine: > > dsconf master1 repl-agmt create --suffix dc=global --host slave1.example.net > --port 389 --conn-protocol LDAP --bind-dn cn=repmanager,cn=config > --bind-passwd --bind-method SIMPLE master1-to-slave1 > > will create replication agreement as described in 15.2.4. of official docs > AND will modify nsslapd-state and nsslapd-referral on slave1 as described in > 15.2.2. so you don't need to manually perform that last step on consumers. Yep, that sounds correct. > > > > and I would like to note too that enabling replication with dsconf will also > create replication manager if you specify --bind-passwd so you save an extra > step. > the command should be something like this: > > dsconf master1 replication enable --suffix dc=global --role master > --replica-id 666 --bind-dn "cn=repmanager,cn=config" --bind-passwd YYY A that's also a surprise but glad that it works ... > > > I'll leave all this here just in case any other script lover needs to modify > their recipes. > > that being said, I love those new tools! they can need some polishing but > dsconf and dsctl are awesome! Really happy you like them! If you have feedback or improvements to suggest, please always let us know. :D > > > good job! > > abosch > > - Missatge original - >> De: "Angel Bosch" >> Per: "General discussion list for the 389 Directory server project." >> <389-users@lists.fedoraproject.org> >> Enviats: Dimecres, 22 de Maig 2019 9:32:30 >> Assumpte: [389-users] Re: referral on update equivalent with dsconf >> >>> which is why the cli tools were misleading you here sadly. I think >>> we as a team, need to review and understand what happened here to >>> cause them to mislead a person about their function. :( >>> >>> Sorry that this confusion occured. Does my answer help? >>> >> >> sure! you're answers are always very deep and insightful. >> >> for me the main problem is that new DS 1.4 is right here but docs are >> still about 1.3 and I'm trying to translate my scripts and recipes. >> >> I was using some kind of old wrappers to install, configure and >> launch my instances and I'm struggling with new tools. >> >> that being said, I love those new tools! they can need some polishing >> but dsconf and dsctl are awesome! >> >> keep it this way guys! >> >> >> abosch >> ___ >> 389-users mailing list -- 389-users@lists.fedoraproject.org >> To unsubscribe send an email to >> 389-users-le...@lists.fedoraproject.org >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> List Guidelines: >> https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org >> > ___ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] SSL configuration on dynamic deployments
Hi again, continuing with my automation I'm facing now the problem of SSL configuration. Using certificates at LB level is not recommended acording to https://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html sharing keys is also discouraged, so my question is if there is a way to prepopulate NSS database with a predefined cert to fast deploy an instance. I my planned setup I'll have 2 masters and 2 to 10 slaves/consumers (maybe more). It will be extremely rare to stop or reinstall masters, but with consumers I want the flexibility to create and destroy them at any moment. Is there any best practice here? abosch -- ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: referral on update equivalent with dsconf
replying to myself to clarify the original doubt: executing something like this on master1 machine: dsconf master1 repl-agmt create --suffix dc=global --host slave1.example.net --port 389 --conn-protocol LDAP --bind-dn cn=repmanager,cn=config --bind-passwd --bind-method SIMPLE master1-to-slave1 will create replication agreement as described in 15.2.4. of official docs AND will modify nsslapd-state and nsslapd-referral on slave1 as described in 15.2.2. so you don't need to manually perform that last step on consumers. and I would like to note too that enabling replication with dsconf will also create replication manager if you specify --bind-passwd so you save an extra step. the command should be something like this: dsconf master1 replication enable --suffix dc=global --role master --replica-id 666 --bind-dn "cn=repmanager,cn=config" --bind-passwd YYY I'll leave all this here just in case any other script lover needs to modify their recipes. good job! abosch - Missatge original - > De: "Angel Bosch" > Per: "General discussion list for the 389 Directory server project." > <389-users@lists.fedoraproject.org> > Enviats: Dimecres, 22 de Maig 2019 9:32:30 > Assumpte: [389-users] Re: referral on update equivalent with dsconf > > > which is why the cli tools were misleading you here sadly. I think > > we as a team, need to review and understand what happened here to > > cause them to mislead a person about their function. :( > > > > Sorry that this confusion occured. Does my answer help? > > > > sure! you're answers are always very deep and insightful. > > for me the main problem is that new DS 1.4 is right here but docs are > still about 1.3 and I'm trying to translate my scripts and recipes. > > I was using some kind of old wrappers to install, configure and > launch my instances and I'm struggling with new tools. > > that being said, I love those new tools! they can need some polishing > but dsconf and dsctl are awesome! > > keep it this way guys! > > > abosch > ___ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to > 389-users-le...@lists.fedoraproject.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: referral on update equivalent with dsconf
> which is why the cli tools were misleading you here sadly. I think > we as a team, need to review and understand what happened here to > cause them to mislead a person about their function. :( > > Sorry that this confusion occured. Does my answer help? > sure! you're answers are always very deep and insightful. for me the main problem is that new DS 1.4 is right here but docs are still about 1.3 and I'm trying to translate my scripts and recipes. I was using some kind of old wrappers to install, configure and launch my instances and I'm struggling with new tools. that being said, I love those new tools! they can need some polishing but dsconf and dsctl are awesome! keep it this way guys! abosch ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org