[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-directory-users
Subject: =?utf-8?q?=5B389-users=5D?= Re: Any benefit to extracting the PEM files?
From: Trevor Vaughan <tvaughan () onyxpoint ! com>
Date: 2021-02-11 0:54:32
Message-ID: CANs+FoUVqRJrc_G-EW9C_TE9AR5ojNEQU6QNLUmpV6Cd38DcTA () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Thanks. I've been using them for now, I was just hoping for an easier route.
Thanks for your help,
Trevor
On Wed, Feb 10, 2021, 7:53 PM William Brown <wbrown@suse.de> wrote:
> Sadly not. We still need NSS as the main TLS lib for accepting incoming
> connections, so we need them in the nssdb.
>
> There are a number of helpers in 'dsconf <instance> tls' to assist here
> though and it can automaticaly do the conversions you need.
>
> > On 11 Feb 2021, at 10:48, Trevor Vaughan <tvaughan@onyxpoint.com> wrote:
> >
> > Interesting!
> >
> > You may want to put that in the documentation.
> >
> > On a related note, is it possible to use PEM files directly instead of
> messing about with conversions?
> >
> > Thanks,
> >
> > Trevor
> >
> > On Wed, Feb 10, 2021, 5:53 PM William Brown <wbrown@suse.de> wrote:
> >
> >
> > > On 10 Feb 2021, at 23:17, Trevor Vaughan <tvaughan@onyxpoint.com>
> wrote:
> > >
> > > I noticed that the server was extracting the PEM files from the
> keystore by default and was wondering if there was really any use for this
> being on by default.
> > >
> > > The relevant setting is nsslapd-extract-pemfiles.
> >
> > Yep, it's needed. Internally we use some openldap client libraries for
> outbound connections, and they only support openssl and PEM certificates.
> So we need to extract these at start up and feed them to the library.
> >
> >
> > >
> > > Thanks,
> > >
> > > Trevor
> > >
> > > --
> > > Trevor Vaughan
> > > Vice President, Onyx Point, Inc
> > > (410) 541-6699 x788
> > >
> > > -- This account not approved for unencrypted proprietary information --
> > > _______________________________________________
> > > 389-users mailing list -- 389-users@lists.fedoraproject.org
> > > To unsubscribe send an email to
> 389-users-leave@lists.fedoraproject.org
> > > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> >
> > —
> > Sincerely,
> >
> > William Brown
> >
> > Senior Software Engineer, 389 Directory Server
> > SUSE Labs, Australia
> > _______________________________________________
> > 389-users mailing list -- 389-users@lists.fedoraproject.org
> > To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> > Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
> > _______________________________________________
> > 389-users mailing list -- 389-users@lists.fedoraproject.org
> > To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> > Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
> —
> Sincerely,
>
> William Brown
>
> Senior Software Engineer, 389 Directory Server
> SUSE Labs, Australia
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
[Attachment #5 (text/html)]
<div dir="auto">Thanks. I've been using them for now, I was just hoping for an \
easier route.<div dir="auto"><br></div><div dir="auto">Thanks for your \
help,</div><div dir="auto"><br></div><div dir="auto">Trevor</div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Feb 10, 2021, 7:53 PM \
William Brown <<a href="mailto:wbrown@suse.de">wbrown@suse.de</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex">Sadly not. We still need NSS as the \
main TLS lib for accepting incoming connections, so we need them in the nssdb.<br> \
<br> There are a number of helpers in 'dsconf <instance> tls' to assist \
here though and it can automaticaly do the conversions you need. <br> <br>
> On 11 Feb 2021, at 10:48, Trevor Vaughan <<a \
href="mailto:tvaughan@onyxpoint.com" target="_blank" \
rel="noreferrer">tvaughan@onyxpoint.com</a>> wrote:<br> > <br>
> Interesting!<br>
> <br>
> You may want to put that in the documentation.<br>
> <br>
> On a related note, is it possible to use PEM files directly instead of messing \
about with conversions?<br> > <br>
> Thanks,<br>
> <br>
> Trevor<br>
> <br>
> On Wed, Feb 10, 2021, 5:53 PM William Brown <<a href="mailto:wbrown@suse.de" \
target="_blank" rel="noreferrer">wbrown@suse.de</a>> wrote:<br> > <br>
> <br>
> > On 10 Feb 2021, at 23:17, Trevor Vaughan <<a \
href="mailto:tvaughan@onyxpoint.com" target="_blank" \
rel="noreferrer">tvaughan@onyxpoint.com</a>> wrote:<br> > > <br>
> > I noticed that the server was extracting the PEM files from the keystore by \
default and was wondering if there was really any use for this being on by \
default.<br> > > <br>
> > The relevant setting is nsslapd-extract-pemfiles.<br>
> <br>
> Yep, it's needed. Internally we use some openldap client libraries for \
outbound connections, and they only support openssl and PEM certificates. So we need \
to extract these at start up and feed them to the library. <br> > <br>
> <br>
> > <br>
> > Thanks,<br>
> > <br>
> > Trevor<br>
> > <br>
> > -- <br>
> > Trevor Vaughan<br>
> > Vice President, Onyx Point, Inc<br>
> > (410) 541-6699 x788<br>
> > <br>
> > -- This account not approved for unencrypted proprietary information --<br>
> > _______________________________________________<br>
> > 389-users mailing list -- <a \
href="mailto:389-users@lists.fedoraproject.org" target="_blank" \
rel="noreferrer">389-users@lists.fedoraproject.org</a><br> > > To unsubscribe \
send an email to <a href="mailto:389-users-leave@lists.fedoraproject.org" \
target="_blank" rel="noreferrer">389-users-leave@lists.fedoraproject.org</a><br> > \
> Fedora Code of Conduct: <a \
href="https://docs.fedoraproject.org/en-US/project/code-of-conduct/" rel="noreferrer \
noreferrer" target="_blank">https://docs.fedoraproject.org/en-US/project/code-of-conduct/</a><br>
> > List Guidelines: <a \
href="https://fedoraproject.org/wiki/Mailing_list_guidelines" rel="noreferrer \
noreferrer" target="_blank">https://fedoraproject.org/wiki/Mailing_list_guidelines</a><br>
> > List Archives: <a \
href="https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org" \
rel="noreferrer noreferrer" \
target="_blank">https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org</a><br>
> <br>
> —<br>
> Sincerely,<br>
> <br>
> William Brown<br>
> <br>
> Senior Software Engineer, 389 Directory Server<br>
> SUSE Labs, Australia<br>
> _______________________________________________<br>
> 389-users mailing list -- <a href="mailto:389-users@lists.fedoraproject.org" \
target="_blank" rel="noreferrer">389-users@lists.fedoraproject.org</a><br> > To \
unsubscribe send an email to <a href="mailto:389-users-leave@lists.fedoraproject.org" \
target="_blank" rel="noreferrer">389-users-leave@lists.fedoraproject.org</a><br> > \
Fedora Code of Conduct: <a \
href="https://docs.fedoraproject.org/en-US/project/code-of-conduct/" rel="noreferrer \
noreferrer" target="_blank">https://docs.fedoraproject.org/en-US/project/code-of-conduct/</a><br>
> List Guidelines: <a \
href="https://fedoraproject.org/wiki/Mailing_list_guidelines" rel="noreferrer \
noreferrer" target="_blank">https://fedoraproject.org/wiki/Mailing_list_guidelines</a><br>
> List Archives: <a \
href="https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org" \
rel="noreferrer noreferrer" \
target="_blank">https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org</a><br>
> Do not reply to spam on the list, report it: <a \
href="https://pagure.io/fedora-infrastructure" rel="noreferrer noreferrer" \
target="_blank">https://pagure.io/fedora-infrastructure</a><br> > \
_______________________________________________<br> > 389-users mailing list -- <a \
href="mailto:389-users@lists.fedoraproject.org" target="_blank" \
rel="noreferrer">389-users@lists.fedoraproject.org</a><br> > To unsubscribe send \
an email to <a href="mailto:389-users-leave@lists.fedoraproject.org" target="_blank" \
rel="noreferrer">389-users-leave@lists.fedoraproject.org</a><br> > Fedora Code of \
Conduct: <a href="https://docs.fedoraproject.org/en-US/project/code-of-conduct/" \
rel="noreferrer noreferrer" \
target="_blank">https://docs.fedoraproject.org/en-US/project/code-of-conduct/</a><br> \
> List Guidelines: <a \
href="https://fedoraproject.org/wiki/Mailing_list_guidelines" rel="noreferrer \
noreferrer" target="_blank">https://fedoraproject.org/wiki/Mailing_list_guidelines</a><br>
> List Archives: <a \
href="https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org" \
rel="noreferrer noreferrer" \
target="_blank">https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org</a><br>
> Do not reply to spam on the list, report it: <a \
href="https://pagure.io/fedora-infrastructure" rel="noreferrer noreferrer" \
target="_blank">https://pagure.io/fedora-infrastructure</a><br> <br>
—<br>
Sincerely,<br>
<br>
William Brown<br>
<br>
Senior Software Engineer, 389 Directory Server<br>
SUSE Labs, Australia<br>
_______________________________________________<br>
389-users mailing list -- <a href="mailto:389-users@lists.fedoraproject.org" \
target="_blank" rel="noreferrer">389-users@lists.fedoraproject.org</a><br> To \
unsubscribe send an email to <a href="mailto:389-users-leave@lists.fedoraproject.org" \
target="_blank" rel="noreferrer">389-users-leave@lists.fedoraproject.org</a><br> \
Fedora Code of Conduct: <a \
href="https://docs.fedoraproject.org/en-US/project/code-of-conduct/" rel="noreferrer \
noreferrer" target="_blank">https://docs.fedoraproject.org/en-US/project/code-of-conduct/</a><br>
List Guidelines: <a href="https://fedoraproject.org/wiki/Mailing_list_guidelines" \
rel="noreferrer noreferrer" \
target="_blank">https://fedoraproject.org/wiki/Mailing_list_guidelines</a><br> List \
Archives: <a href="https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org" \
rel="noreferrer noreferrer" \
target="_blank">https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org</a><br>
Do not reply to spam on the list, report it: <a \
href="https://pagure.io/fedora-infrastructure" rel="noreferrer noreferrer" \
target="_blank">https://pagure.io/fedora-infrastructure</a><br> </blockquote></div>
[Attachment #6 (text/plain)]
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic