You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@whimsical.apache.org by se...@apache.org on 2021/08/08 09:49:21 UTC
[whimsy] branch master updated: More notes on LDAP config
This is an automated email from the ASF dual-hosted git repository.
sebb pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/whimsy.git
The following commit(s) were added to refs/heads/master by this push:
new eb84690 More notes on LDAP config
eb84690 is described below
commit eb84690484e99e0687ae20c5866da408304094ec
Author: Sebb <se...@apache.org>
AuthorDate: Sun Aug 8 10:49:14 2021 +0100
More notes on LDAP config
---
DEVELOPMENT.md | 25 +++++++++++++++++--------
1 file changed, 17 insertions(+), 8 deletions(-)
diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
index fab2c18..2ec88be 100644
--- a/DEVELOPMENT.md
+++ b/DEVELOPMENT.md
@@ -127,26 +127,35 @@ or read the [detailed MACOSX setup steps](MACOSX.md).
- `ruby -r whimsy/asf -e "puts ASF::LDAP.extract_cert"`
- `openssl s_client -connect ldap-us-ro.apache.org:636 </dev/null`
- Copy from `BEGIN` to `END` inclusive into the file `/etc/ldap/asf-ldap-client.pem`.
+ For openssl, copy from the LAST `BEGIN` to `END` inclusive into the file `/etc/ldap/asf-ldap-client.pem`.
Point to the file in `/etc/ldap/ldap.conf` with a line like the following:
``` TLS_CACERT /etc/ldap/asf-ldap-client.pem```
+ If multiple different certificates are needed, they should all be added to the same file.
+ [The option `TLS_CACERTDIR` is not used Ubuntu for example]
+
N.B. OpenLDAP on Mac OS/X uses `/etc/openldap/` instead of `/etc/ldap/`
- Adjust the paths above as necessary. Additionally ensure that
- that `TLS_REQCERT` is set to `allow`.
+ Adjust the paths above as necessary.
+ Also (on Catalina at least), macOS uses SecureTransport.
+ This means that `TLS_CACERT` is not used.
+ Instead use the `TLS_TRUSTED_CERTS` option. See: `man 5 ldap.conf`
+ This requires the certificates to have been installed into the system key chain,
+ so it is much easier to ensure that `TLS_REQCERT` is set to `allow`.
Note: the certificate is needed because the ASF LDAP hosts use a
- self-signed certificate.
+ self-signed certificate. Certificates may also be needed for test LDAP instances
+ if the CA is not in the built-in list.
Simple way to configure LDAP is:
sudo ruby -r whimsy/asf -e "ASF::LDAP.configure"
- These commands can also be used to update your configuration as
- the ASF changes LDAP servers; they are cached in your `~/.whimsy`.
+ The ASF now uses fixed names for its LDAP servers.
+ However there may be changes to the certificates from time to time.
+ If you override the defaults in the `~/.whimsy` file, you may need to adjust the settings.
-5. **Verify your configuration** by running:
+1. **Verify your configuration** by running:
`ruby examples/board.rb`
@@ -155,7 +164,7 @@ or read the [detailed MACOSX setup steps](MACOSX.md).
standalone server to view in a local web browser. This test script
verifies the environment used by many, but not all, Whimsy tools.
-6. **Configure mail sending** :mailbox_with_mail: (_optional_):
+2. **Configure mail sending** :mailbox_with_mail: (_optional_):
Configuration of outbound mail delivery is done through the `~/.whimsy`
file. Three examples are provided below, followed by links to where