The code changes look fine. ACK on those.
I have some questions about the changes to the man pages.
First, as mentioned on #irc, pki_security_domain_password should not be
in the example for the default CA case.
Now, I think it is important to state the context of this feature in the
man page.
This could be:
* We have a DS that talks LDAPS already, and we need to talk to this DS
using LDAPS. It has a CA cert file that is issued by some other CA.
* We want to talk to the DS using LDAPS and we want to use the CA cert
generated by this CA (once installed) to issue the SSL cert for the DS.
We do not need to talk securely during the installation. In this case,
you configure the CA using LDAP port first, and then issue a SSL cert
for the DS, install and reconfigure the CA.
* We have to talk to the DS using LDAPS and we want to use the CA cert
for this CA (once installed) to issue the SSL cert for the DS. We also
need to be able to talk securely during the installation. In this case,
you configure the DS with a temporary self signed cert (as you described
in the man page), then install the CA and swap things out post-install.
Also, the formatting for man page is a little weird in that the
paragraphs following your section on installing using ldaps appear to be
part of that section (when they are not). I'm talking about the
paragraph that starts:
This invocation of pkispawn creates a Tomcat instance containing a CA
running on the local machine with secure port 8443 and unsecure port
8080. ...
Actually, looking more closely, I think you inserted your section in the
wrong place.
Ade
On Thu, 2015-03-12 at 19:33 -0600, Matthew Harmsen wrote:
Please review the attached patch which addresses the following
issue:
* PKI TRAC Ticket #1144 - pkispawn needs option to specify ca
cert for ldap
Using my Fedora 21 laptop, I was able to successfully install and
configure a Directory Server to use LDAPS (documented procedure in
attached 'pkispawn' man page), and was able to use the exported
Directory Server CA certificate to successfully install and configure
a CA using this CA certificate in conjunction with the secure
Directory Server.
I verified that the two servers were speaking TLS by
checking /var/log/dirsrv/slapd-pki/access:
* TLS1.2 128-bit AES-GCM
Additionally, I successfully installed an OCSP subsystem into this
shared PKI instance.
For the CA, I successfully tested both non-interactive as well as
interactive modes of pkispawn.
Thanks,
-- Matt
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel