DATE | TIME | WHERE |
2010-10-14 | From 09:00 to 21:00 UTC (5am -> 5pm EDT) | #fedora-test-day (webirc) |
What to test?
Today's installment of Fedora Test Day will focus on OpenLDAP with TLS encryption. OpenLDAP in Fedora 14 uses Mozilla NSS instead of OpenSSL crypto backend. This change should have no effect for users, but to be sure we want to test as many programs using openldap libraries (libldap) as possible.
Who's available
The following cast of characters will be available testing, workarounds, bug fixes, and general discussion ...
- Development - Jan Zeleny (jzeleny), Jan Vcelak (jvcelak), Rich Megginson (rmeggins)
- Quality Assurance - Ondrej Moris (omoris)
Prerequisite for Test Day
- Fedora 14 system with openldap and openldap-clients packages
- at least one of following applications installed:
Here is the pkgdb link to get the list of packages which require the openldap library:
TODO: a list of openldap-depending packages
How to test?
Choose one of applications in the list above and mark it on this page by putting "(taken)" in front of the list item. Perform some testing. Below is a table of features what might be tested. The table lists common OpenLDAP based applications and the tls options used. The table lists some features which are supported by ldap.conf file. If your application uses OpenLDAP and is able to configure it to use TLS/SSL, you will probably have similar configuration options.
- Application: OpenLDAP command line tools - ldapsearch, ldapmodify, et. al.
- Default config file: /etc/openldap/ldap.conf, ~/.ldaprc
- see man ldap.conf for more information
- Use the -Z or -ZZ command line option to use StartTLS with ldap:// URIs
Config option | Description | Example |
---|---|---|
URI | LDAP URI - use ldaps:// for LDAPS, or use ldap:// with -Z cmd line flag for starttls | ldaps://ldap.example.com:636/ |
TLS_CACERT | Full path and filename of file containing CA certificates to use | /etc/pki/tls/certs/ca-bundle.crt |
TLS_CACERTDIR | Full path name of directory containing CA certificates in separate files | /etc/openldap/cacerts |
TLS_CERT | Full path name and file name of client cert file | /home/user/myusercert.pem |
TLS_KEY | Full path name and file name of cert private key file - must be unencrypted | /home/user/myuserkey.pem |
TLS_CIPHER_SUITE | Specifies TLS cipher suites to use | HIGH:MEDIUM:+SSLv3 |
TLS_REQCERT | Specifies what checks to perform on server certs | demand |
- Application: OpenLDAP server
- Default config file: /etc/openldap/slapd.d/cn=config.ldif
- see man slapd-config for more information
- Use the -Z or -ZZ command line option to use StartTLS with ldap:// URIs
Config option | Description | Example |
---|---|---|
olcTLSCACertificateFile | Full path and filename of file containing CA certificates to use | /etc/pki/tls/certs/ca-bundle.crt |
olcTLSCACertificatePath | Full path name of directory containing CA certificates in separate files | /etc/openldap/cacerts |
olcTLSCertificateFile | Full path name and file name of server cert file | /home/user/myusercert.pem |
olcTLSCertificateKeyFile | Full path name and file name of server private key file - must be unencrypted | /home/user/myuserkey.pem |
olcTLSCipherSuite | Specifies TLS cipher suites to use | HIGH:MEDIUM:+SSLv3 |
olcTLSVerifyClient | Specifies what checks to perform on incoming client certs | demand |
- Application: pam_ldap/nss_ldap
- Default config file: /etc/ldap.conf
- see man nss_ldap for more information
- Use the -Z or -ZZ command line option to use StartTLS with ldap:// URIs
Config option | Description | Example |
---|---|---|
uri | LDAP URI - use ldaps:// for LDAPS, or use ldap:// with ssl start_tls option (see below) | uri ldaps://ldap.example.com:636/ |
ssl on,off,start_tls | off - no TLS ; on - use LDAPS ; start_tls - use LDAP with the StartTLS operation (recommended) | ssl start_tls |
tls_cacertfile | Full path and filename of file containing CA certificates to use | tls_cacertfile /etc/pki/tls/certs/ca-bundle.crt |
tls_cacertdir | Full path name of directory containing CA certificates in separate files | tls_cacertdir /etc/openldap/cacerts |
tls_cert | Full path name and file name of client cert file for client cert auth (SASL/EXTERNAL) | tls_cert /path/to/myusercert.pem |
tls_key | Full path name and file name of client cert private key file - must be unencrypted | tls_key /path/to/myuserkey.pem |
tls_ciphers | Specifies TLS cipher suites to use | tls_ciphers HIGH:MEDIUM:+SSLv3 |
tls_checkpeer yes,no | check the server cert or no | tls_checkpeer yes |
You can use our prepared LDAP server for your testing:
TODO: server details (probably won't be available until the test day begins)
After you perform testing, it is important to report results. A special section Test Results is available. Here you should write: what program have you tested, what was tested (i.e. what tests were performed) and what was the result. After you fill this report, please remove the mark "(taken)" from the package list and add a new mark:
In latter two cases a description what went wrong should be available in Test Results section
Update your machine
If you're running Fedora 14, make sure you have all the current updates for it installed, using the update manager.
Kickstart / Live DVD
TODO: prepare a kickstart which might be used to install minimal Fedora 14 TODO: post here a link to download section in case testers want to install F14 from DVD
Test Results
TODO: what do we want testers to do in case they encounter any problem? Consult it? File a bug? Just write it on the page?