| DATE | TIME | WHERE |
| 2010-10-14 | From 09:00 to 21:00 UTC (5am -> 5pm EDT) | #fedora-test-day (webirc) |
If you come to this page before or after the test day is completed, your testing is still valuable, and you can use the information on this page to test, file any bugs you find at Bugzilla, and add your results to the results section. If this page is more than a month old when you arrive here, please check the current schedule and see if a similar but more recent Test Day is planned or has already happened.
What to test?
Today's installment of Fedora Test Day will focus on OpenLDAP with TLS encryption. OpenLDAP in Fedora 14 uses Mozilla NSS instead of OpenSSL crypto backend. This change should have no effect for users, but to be sure we want to test OpenLDAP server and as many programs using OpenLDAP libraries (libldap) as possible.
Who's available
The following cast of characters will be available testing, workarounds, bug fixes, and general discussion ...
- Development - Jan Zeleny (jzeleny), Jan Vcelak (jvcelak), Rich Megginson (rmeggins)
- Quality Assurance - Ondrej Moris (omoris)
Prerequisite for Test Day
- Fedora 14 system with openldap and openldap-clients packages (openldap-servers for testing the server)
- At least one of following applications installed:
Packages list
Priority 1 (the most important packages)
| Package | Taken by | Notes |
|---|---|---|
| openldap-clients | ||
| openldap-servers | ||
| am-utils | ||
| audit | ||
| autofs | ||
| krb5-workstation | ||
| nss_ldap | ||
| nss-pam-ldapd | ||
| openssh | ||
| pam_ldap | ||
| python-ldap | ||
| ruby-ldap | ||
| sssd | ||
| sudo | ||
| libuser | ||
| nfs-utils-lib | ||
| quota |
Priority 2
| Package | Taken by | Notes |
|---|---|---|
| bdii | ||
| bind-dyndb-ldap | ||
| bind | ||
| cups | ||
| curl | ||
| dhcp | ||
| dirmngr | ||
| httpd | ||
| lighttpd | ||
| mod_authz_ldap | ||
| mod_perl | ||
| mod_revocator | ||
| openvpn-auth-ldap | ||
| php | ||
| postgresql | ||
| proftpd | ||
| pure-ftpd |
Priority 3
| Package | Taken by | Notes |
|---|---|---|
| cyrus-imapd | ||
| cyrus-sasl | ||
| dbmail | ||
| dovecot | ||
| exim | ||
| freeradius | ||
| jabberd | ||
| sendmail | ||
| samba | ||
| samba4 | ||
| ocspd | ||
| pdns | ||
| postfix | ||
| ss5 | ||
| zabbix |
Priority 4
| Package | Taken by | Notes |
|---|---|---|
| activemq-cpp | ||
| apr-util | ||
| ipa | ||
| asterisk | ||
| callweaver | ||
| cluster | ||
| dspam | ||
| nagios-plugins | ||
| nufw | ||
| opal | ||
| openser | ||
| opensips | ||
| squid | ||
| virtuoso-opensource | ||
| zarafa |
Priority 5
| Package | Taken by | Notes |
|---|---|---|
| alpine | ||
| claws-mail | ||
| ekiga | ||
| evolution-exchange | ||
| evolution | ||
| GConf2 | ||
| gq | ||
| gnupg | ||
| gnupg2 | ||
| kdesvn | ||
| ldapvi | ||
| myproxy | ||
| rapidsvn | ||
| seahorse | ||
| subcommander | ||
| sylpheed | ||
| wine |
Priority 6 (the least important packages)
| Package | Taken by | Notes |
|---|---|---|
| echoping | ||
| kdebase3 | ||
| kdepimlibs | ||
| log4cxx | ||
| migrationtools | ||
| ovaldi | ||
| pathfinder | ||
| ptlib | ||
| root |
How to test?
Choose one of applications in the list above and mark it on this page by adding your name into "Taken by" column. Perform some testing. Below is a table of features what might be tested. The table lists common OpenLDAP based applications and the tls options used. The table lists some features which are supported by ldap.conf file. If your application uses OpenLDAP and is able to configure it to use TLS/SSL, you will probably have similar configuration options.
- Application: OpenLDAP command line tools - ldapsearch, ldapmodify, et. al.
- Default config file: /etc/openldap/ldap.conf, ~/.ldaprc
- see man ldap.conf for more information
- Use the -Z or -ZZ command line option to use StartTLS with ldap:// URIs
| Config option | Description | Example |
|---|---|---|
| URI | LDAP URI - use ldaps:// for LDAPS, or use ldap:// with -Z cmd line flag for starttls | ldaps://ldap.example.com:636/ |
| TLS_CACERT | Full path and filename of file containing CA certificates to use | /etc/pki/tls/certs/ca-bundle.crt |
| TLS_CACERTDIR | Full path name of directory containing CA certificates in separate files | /etc/openldap/cacerts |
| TLS_CERT | Full path name and file name of client cert file | /home/user/myusercert.pem |
| TLS_KEY | Full path name and file name of cert private key file - must be unencrypted | /home/user/myuserkey.pem |
| TLS_CIPHER_SUITE | Specifies TLS cipher suites to use | HIGH:MEDIUM:+SSLv3 |
| TLS_REQCERT | Specifies what checks to perform on server certs | demand |
- Application: OpenLDAP server
- Default config file: /etc/openldap/slapd.d/cn=config.ldif
- see man slapd-config for more information
- Use the -H command line option to have slapd listen for LDAPS requests (e.g. slapd -H ldaps://hostname ....)
| Config option | Description | Example |
|---|---|---|
| olcTLSCACertificateFile | Full path and filename of file containing CA certificates to use | /etc/pki/tls/certs/ca-bundle.crt |
| olcTLSCACertificatePath | Full path name of directory containing CA certificates in separate files | /etc/openldap/cacerts |
| olcTLSCertificateFile | Full path name and file name of server cert file | /home/user/myusercert.pem |
| olcTLSCertificateKeyFile | Full path name and file name of server private key file - must be unencrypted | /home/user/myuserkey.pem |
| olcTLSCipherSuite | Specifies TLS cipher suites to use | HIGH:MEDIUM:+SSLv3 |
| olcTLSVerifyClient | Specifies what checks to perform on incoming client certs | demand |
For OpenLDAP server, we also need to test server-to-server interactions that use TLS. For example, test replication from a server using Mozilla NSS to another server using OpenSSL using LDAPS or StartTLS. Try a back-ldap or back-meta configuration using TLS/SSL.
- Application: pam_ldap/nss_ldap
- Default config file: /etc/ldap.conf
- see man nss_ldap for more information
| Config option | Description | Example |
|---|---|---|
| uri | LDAP URI - use ldaps:// for LDAPS, or use ldap:// with ssl start_tls option (see below) | uri ldaps://ldap.example.com:636/ |
| ssl on,off,start_tls | off - no TLS ; on - use LDAPS ; start_tls - use LDAP with the StartTLS operation (recommended) | ssl start_tls |
| tls_cacertfile | Full path and filename of file containing CA certificates to use | tls_cacertfile /etc/pki/tls/certs/ca-bundle.crt |
| tls_cacertdir | Full path name of directory containing CA certificates in separate files | tls_cacertdir /etc/openldap/cacerts |
| tls_cert | Full path name and file name of client cert file for client cert auth (SASL/EXTERNAL) | tls_cert /path/to/myusercert.pem |
| tls_key | Full path name and file name of client cert private key file - must be unencrypted | tls_key /path/to/myuserkey.pem |
| tls_ciphers | Specifies TLS cipher suites to use | tls_ciphers HIGH:MEDIUM:+SSLv3 |
| tls_checkpeer yes,no | check the server cert or no | tls_checkpeer yes |
You can use our prepared LDAP server for your testing:
Our testing servers: openldap01.fedoraproject.org - F13, openldap + OpenSSL openldap02.fedoraproject.org - F14, openldap + NSS (this is the server with new libldap, which is tested) openldap03.fedoraproject.org - F14, 389 DS
After you perform testing, it is important to report results. A special section Test Results is available. Here you should write: what program have you tested, what was tested (i.e. what tests were performed) and what was the result. After you fill this report, please add a mark into "Notes" column in package list:
- in case everything was ok
- in case there was probably something wrong
- in case the test failed
In latter two cases a description what went wrong should be available in Test Results section.
Update your machine
If you're running Fedora 14, make sure you have all the current updates for it installed, using the update manager.
Kickstart / Live DVD
There are no specifically prepared LiveCDs or LiveDVD. We recommend the testing to be done in virtual machine, using Fedora 14 net install as installation medium. You can download the image on this address:
http://download.fedoraproject.org/pub/fedora/linux/releases/test/14-Beta/Fedora/x86_64/iso/Fedora-14-Beta-x86_64-netinst.iso for x86_64 or http://download.fedoraproject.org/pub/fedora/linux/releases/test/14-Beta/Fedora/i386/iso/Fedora-14-Beta-i386-netinst.iso for i386.
If you want to download Live medium and run the testing that way, you can use one of those listed on http://fedoraproject.org/en/get-prerelease.
Testing environment
Available servers
.png){kind=small}
We are working on this right now
| server | service | package version | base DN |
|---|---|---|---|
| openldap01.fedoraproject.org | OpenLDAP + OpenSSL | openldap-servers-2.4.21-11.fc13.x86_64 | dc=silver,dc=testday |
| openldap02.fedoraproject.org | 389 Directory Server | (not installed yet) | dc=bronze,dc=testday |
| openldap03.fedoraproject.org | OpenLDAP + MozNSS | openldap-servers-2.4.22-7.fc14.x86_64 | dc=gold,dc=testday |
Download OpenLDAP Testday CA certificate (PEM format). Certificates of testing servers are signed by this CA.
How to setup your own server
- do not leave any empty lines in OpenLDAP server configuration files (everything in
/etc/openldap/slapd.d) - no olcTLS* option must be the last line in your database configuration or your server will not start (bug #641946), you can add some line with comment (
#)
- install OpenLDAP server:
yum install openldap-servers - choose and set your server base DN, e.g. dc=copper,dc=testday
- generate admin (manager) user password hash:
slappasswd - update /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif
- olcSuffix: dc=copper,dc=testday
- olcRootDN: cn=Manager,dc=copper,dc=testday
- olcRootPW: <admin-user-password-hash>
- update /etc/openldap/slapd.d/cn=config/{2}monitor.ldif
- olcAccess: {0}to * by dn.base="cn=manager,dc=copper,dc=testday" read by * non
- start your server:
service slapd start - try your serve functionality
ldapsearch -H ldap://localhost -x -b "" -s base "(objectclass=*)" namingContexts- you should get:
namingContexts: dc=copper,dc=testday
- create base nodes
- download example root DN nodes (LDIF)
- update DNs in that file
- import that file into the database:
ldapadd -x -D "cn=Manager,dc=copper,dc=testday" -W -f root.ldif
- install BDB configuration file
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_EXAMPLE
- restart your server:
service slapd restart - your server is now configured and running without TLS
- generate certificates for your server (see below)
- update
/etc/openldap/slapd.d/cn=config.ldif, add following options (customised):- olcTLSCACertificateFile: /etc/openldap/certs/cacert.pem
- olcTLSCertificateFile: /etc/openldap/certs/openldap01.pem
- olcTLSCertificateKeyFile: /etc/openldap/certs/openldap01.pem
- your server is running with TLS support
jvcelak: finish this
Generating certificates for server
jvcelak: write this
man slapd-config
Test Results
After you are finished testing, please file a testing report below. The first report can be used as an example how it should look like. If you encounter any issue, please first consult it on IRC. If it will be verified as a bug, file a bugzilla against openldap component and add a note about it to your report.
Tested program: abcd-1.5-3-fc14.x86_64
- tried against all referential servers
- tried TLS connection with and without client certificate
- all test were tun with option CDEF turned on
- all test were running fine, except one
- bug #123456 was filed
- bug #123457 was filed