From Fedora Project Wiki
DATE TIME WHERE
2010-10-14 From 09:00 to 21:00 UTC (5am -> 5pm EDT) #fedora-test-day (webirc)
Can't make the date?
If you come to this page before or after the test day is completed, your testing is still valuable, and you can use the information on this page to test, file any bugs you find at Bugzilla, and add your results to the results section. If this page is more than a month old when you arrive here, please check the current schedule and see if a similar but more recent Test Day is planned or has already happened.

What to test?

Today's installment of Fedora Test Day will focus on OpenLDAP with TLS encryption. OpenLDAP in Fedora 14 uses Mozilla NSS instead of OpenSSL crypto backend. This change should have no effect for users, but to be sure we want to test as many programs using openldap libraries (libldap) as possible.

Who's available

The following cast of characters will be available testing, workarounds, bug fixes, and general discussion ...

  • Development - Jan Zeleny (jzeleny), Jan Vcelak (jvcelak), Rich Megginson (rmeggins)
  • Quality Assurance - Ondrej Moris (omoris)

Prerequisite for Test Day

  • Fedora 14 system with openldap and openldap-clients packages
  • at least one of following applications installed:
package owner tested by notes
activemq-cpp stevetraylen
alpine joshuadf
am-utils kzak
apr-util jorton
asterisk jcollie
audit sgrubb
autofs jmoyer
bdii ellert
bind atkac
bind-dyndb-ldap mnagy
callweaver dwmw2
claws-mail awjb
cluster fabbione
cups twaugh
curl kdudka
cyrus-imapd mhlavink
cyrus-sasl jfch2222
dbmail bjohnson
dhcp jpopelka
dirmngr rdieter
dovecot mhlavink
dspam gnat
echoping ixs
ekiga pbrobinson
evolution-exchange mbarnes
evolution mbarnes
exim dwmw2
freeradius jdennis
GConf2 rstrode
gnupg bcl
gnupg2 rdieter
gq terjeros
httpd jorton
ipa rcritten
jabberd adrian
kdebase3 than
kdepimlibs than
kdesvn orion
krb5 nalin
ldapvi mcepl
libuser mitr
lighttpd thias
log4cxx mjakubicek
migrationtools jsafrane
mod_authz_ldap jorton
mod_perl jorton
mod_revocator rcritten
myproxy stevetraylen
nagios-plugins peter
nfs-utils-lib steved
nss_ldap nalin
nss-pam-ldapd nalin
nufw saispo
ocspd monnerat
opal pbrobinson
openser peter
opensips ivaxer
openssh jfch2222
openvpn-auth-ldap thias
ovaldi lkundrak
pam_ldap nalin
pathfinder icon
pdns ruben
php jorton
postfix mlichvar
postgresql tgl
proftpd thias
ptlib pbrobinson
pure-ftpd abompard
python-ldap mbarnes
quota ppisar
rapidsvn timj
root ellert
ruby-ldap stahnma
samba simo
samba4 mbarnes
seahorse tbzatek
sendmail jskarvad
squid jskala
sssd sgallagh
ss5 mricchet
subcommander s4504kr
sudo mildew
sylpheed itamarjp
virtuoso-opensource rdieter
wine awjb
zabbix sharkcz
zarafa robert

How to test?

Choose one of applications in the list above and mark it on this page by putting "(taken)" in front of the list item. Perform some testing. Below is a table of features what might be tested. The table lists common OpenLDAP based applications and the tls options used. The table lists some features which are supported by ldap.conf file. If your application uses OpenLDAP and is able to configure it to use TLS/SSL, you will probably have similar configuration options.

  • Application: OpenLDAP command line tools - ldapsearch, ldapmodify, et. al.
  • Default config file: /etc/openldap/ldap.conf, ~/.ldaprc
  • see man ldap.conf for more information
  • Use the -Z or -ZZ command line option to use StartTLS with ldap:// URIs
Config option Description Example
URI LDAP URI - use ldaps:// for LDAPS, or use ldap:// with -Z cmd line flag for starttls ldaps://ldap.example.com:636/
TLS_CACERT Full path and filename of file containing CA certificates to use /etc/pki/tls/certs/ca-bundle.crt
TLS_CACERTDIR Full path name of directory containing CA certificates in separate files /etc/openldap/cacerts
TLS_CERT Full path name and file name of client cert file /home/user/myusercert.pem
TLS_KEY Full path name and file name of cert private key file - must be unencrypted /home/user/myuserkey.pem
TLS_CIPHER_SUITE Specifies TLS cipher suites to use HIGH:MEDIUM:+SSLv3
TLS_REQCERT Specifies what checks to perform on server certs demand
  • Application: OpenLDAP server
  • Default config file: /etc/openldap/slapd.d/cn=config.ldif
  • see man slapd-config for more information
  • Use the -Z or -ZZ command line option to use StartTLS with ldap:// URIs
Config option Description Example
olcTLSCACertificateFile Full path and filename of file containing CA certificates to use /etc/pki/tls/certs/ca-bundle.crt
olcTLSCACertificatePath Full path name of directory containing CA certificates in separate files /etc/openldap/cacerts
olcTLSCertificateFile Full path name and file name of server cert file /home/user/myusercert.pem
olcTLSCertificateKeyFile Full path name and file name of server private key file - must be unencrypted /home/user/myuserkey.pem
olcTLSCipherSuite Specifies TLS cipher suites to use HIGH:MEDIUM:+SSLv3
olcTLSVerifyClient Specifies what checks to perform on incoming client certs demand
  • Application: pam_ldap/nss_ldap
  • Default config file: /etc/ldap.conf
  • see man nss_ldap for more information
  • Use the -Z or -ZZ command line option to use StartTLS with ldap:// URIs
Config option Description Example
uri LDAP URI - use ldaps:// for LDAPS, or use ldap:// with ssl start_tls option (see below) uri ldaps://ldap.example.com:636/
ssl on,off,start_tls off - no TLS ; on - use LDAPS ; start_tls - use LDAP with the StartTLS operation (recommended) ssl start_tls
tls_cacertfile Full path and filename of file containing CA certificates to use tls_cacertfile /etc/pki/tls/certs/ca-bundle.crt
tls_cacertdir Full path name of directory containing CA certificates in separate files tls_cacertdir /etc/openldap/cacerts
tls_cert Full path name and file name of client cert file for client cert auth (SASL/EXTERNAL) tls_cert /path/to/myusercert.pem
tls_key Full path name and file name of client cert private key file - must be unencrypted tls_key /path/to/myuserkey.pem
tls_ciphers Specifies TLS cipher suites to use tls_ciphers HIGH:MEDIUM:+SSLv3
tls_checkpeer yes,no check the server cert or no tls_checkpeer yes

You can use our prepared LDAP server for your testing:

TODO: server details (probably won't be available until the test day begins)

After you perform testing, it is important to report results. A special section Test Results is available. Here you should write: what program have you tested, what was tested (i.e. what tests were performed) and what was the result. After you fill this report, please remove the mark "(taken)" from the package list and add a new mark:

  • Pass pass
    in case everything was ok
  • Warning warn
    in case there was probably something wrong
  • Fail fail
    in case the test failed

In latter two cases a description what went wrong should be available in Test Results section

Update your machine

If you're running Fedora 14, make sure you have all the current updates for it installed, using the update manager.

Kickstart / Live DVD

TODO: prepare a kickstart which might be used to install minimal Fedora 14
TODO: post here a link to download section in case testers want to install F14 from DVD

Test Results

TODO: what do we want testers to do in case they encounter any problem? Consult it? File a bug? Just write it on the page?