Fedora Info

Tuesday, October 4, 2022

[389-users] Re: Reminder - how to unsubscribe yourself

On 10/4/22 10:50, Alberto Viana wrote:

Hi Mark,
I don't think so, it's say to send an email to the list hehehe

:-)

Or at least it's not clear if others links can do that, so I assume that's why everyone just sends an email.

Hmm I have no control over the wording, but that is how it's supposed to be done. Like I said I don't mind doing it, but I don't always get around to it in a timely manner.

Thanks,
Mark

Cheers,

Alberto Viana

On Tue, Oct 4, 2022 at 11:29 AM Mark Reynolds <mareynol@redhat.com> wrote:

There have been a lot of people just sending "unsubscribe" messages to
the list. At the bottom of every email from this list there is a link
to unsubscribe yourself. I don't mind doing it, but it's very easy to
do it yourself. Just a reminder...

--
Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________  389-users mailing list -- 389-users@lists.fedoraproject.org  To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org  Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/  List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines  List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org  Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue  

--   Directory Server Development Team

[389-users] Re: Reminder - how to unsubscribe yourself

Hi Mark,

I don't think so, it's say to send an email to the list hehehe

Or at least it's not clear if others links can do that, so I assume that's why everyone just sends an email.

Cheers,

Alberto Viana

On Tue, Oct 4, 2022 at 11:29 AM Mark Reynolds <mareynol@redhat.com> wrote:

There have been a lot of people just sending "unsubscribe" messages to
the list. At the bottom of every email from this list there is a link
to unsubscribe yourself. I don't mind doing it, but it's very easy to
do it yourself. Just a reminder...

--
Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[389-users] Reminder - how to unsubscribe yourself

There have been a lot of people just sending "unsubscribe" messages to
the list. At the bottom of every email from this list there is a link
to unsubscribe yourself. I don't mind doing it, but it's very easy to
do it yourself. Just a reminder...

--
Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

Monday, October 3, 2022

[389-users] Re: Fwd: 389 DS stop reponding

On 10/3/22 09:08, jfdesir wrote:

Hi,

I'am facing an issue that i can't solve.

I have recently install two new LDAP servers (ubuntu 18.04 /389 DS 1.3.7.10)

First, 389-ds-base-1.3.7 is extremely old and outdated (it has not been supported in a very long time). There are many bugs in this version. I strongly recommend going to 389-ds-base-2.x.x which is supported.

All about 12hours, the LDAP stop responding evenif the process is there.

When i make a restart, it take a long time (so i have to kill the process).

I have 2 old 389 (version 1.3.2.16) with the same base that function verry well

Is there a knowed bug about that?

You did not proide enough information to determine what issue you are hitting. I suspect it is an experimental connection handler "nunc-stans", which was removed in newer versions, but that is just a wild guess. "nunc-stans" can be turned off with a setting under cn=config (nsslapd-enable-nunc-stans: off). Anyway, the next time it happens I suggest getting pstacks to see what the server is doing.

Regards,

Mark

Regards,

_______________________________________________  389-users mailing list -- 389-users@lists.fedoraproject.org  To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org  Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/  List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines  List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org  Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

--   Directory Server Development Team

[389-users] Fwd: 389 DS stop reponding

Hi,

I'am facing an issue that i can't solve.

I have recently install two new LDAP servers (ubuntu 18.04 /389 DS 1.3.7.10)

All about 12hours, the LDAP stop responding evenif the process is there.

When i make a restart, it take a long time (so i have to kill the process).

I have 2 old 389 (version 1.3.2.16) with the same base that function verry well

Is there a knowed bug about that?

Regards,

[389-users] Re: 389ds and PKCS11 - how does 389ds read certificates/keys from p11kit?

Graham Leggett wrote:
> Hi all,
>
> 389ds as shipped by RHEL9 is linked to NSS, which in theory supports PKCS11, but in practice I can't get to work.
>
> Most specifically, when you display a 389ds NSS database using modutil, you see p11-kit-proxy (good), but it reports "There are no slots attached to this module" (bad).
>
> Has anyone got an explanation as to why this might be?
>
> [root@seawitch ~]# modutil -list -dbdir /etc/dirsrv/slapd-seawitch
>
> Listing of PKCS #11 Modules
> -----------------------------------------------------------
> 1. NSS Internal PKCS #11 Module
> uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.79
> slots: 2 slots attached
> status: loaded
>
> slot: NSS Internal Cryptographic Services
> token: NSS Generic Crypto Services
> uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
>
> slot: NSS User Private Key and Certificate Services
> token: NSS Certificate DB
> uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
>
> 2. p11-kit-proxy
> library name: p11-kit-proxy.so
> uri: pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1
> slots: There are no slots attached to this module
> status: loaded
> —————————————————————————————
>
> At the very least the system and default CA databases should be visible, but alas no:
>
> [root@seawitch ~]# p11-kit list-modules
> p11-kit-trust: p11-kit-trust.so
> library-description: PKCS#11 Kit Trust Module
> library-manufacturer: PKCS#11 Kit
> library-version: 0.24
> token: System Trust
> manufacturer: PKCS#11 Kit
> model: p11-kit-trust
> serial-number: 1
> hardware-version: 0.24
> flags:
> token-initialized
> token: Default Trust
> manufacturer: PKCS#11 Kit
> model: p11-kit-trust
> serial-number: 1
> hardware-version: 0.24
> flags:
> write-protected
> token-initialized

It may be that those two tokens are treated specially in p11-kit. The
upstream would probably be able to explain that.

If, for example, you install the softhsm package then tokens are
visible. It should be the same for any other PKCS#11 device.

On vanilla F36 with DS setup using the quickstart guide.

# dnf -y install softhsm
# modutil -list -dbdir /etc/dirsrv/slapd-localhost/

Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
uri:
pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.83
slots: 2 slots attached
status: loaded

slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
uri:
pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
uri:
pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

2. p11-kit-proxy
library name: p11-kit-proxy.so
uri:
pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1
slots: 1 slot attached
status: loaded

slot: SoftHSM slot ID 0x0
token:
uri: pkcs11:manufacturer=SoftHSM%20project;model=SoftHSM%20v2

# /usr/bin/softhsm2-util --init-token --free --pin password --so-pin
password --label "softhsm_token"
Slot 0 has a free/uninitialized token.
# certutil -L -d /etc/dirsrv/slapd-localhost/ -h all

Certificate Nickname Trust
Attributes

SSL,S/MIME,JAR/XPI

Enter Password or Pin for "softhsm_token":
Server-Cert u,u,u
Self-Signed-CA CT,,

# certutil -A -d /etc/dirsrv/slapd-localhost/ -h softhsm_token -t ,, -a
-i /tmp/cert -n test
# certutil -L -d /etc/dirsrv/slapd-localhost/ -h all

Certificate Nickname Trust
Attributes

SSL,S/MIME,JAR/XPI

Enter Password or Pin for "softhsm_token":
Server-Cert u,u,u
Self-Signed-CA CT,,
softhsm_token:test ,,

rob
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[389-users] Re: 389ds and PKCS11 - how does 389ds read certificates/keys from p11kit?

Hi Graham,

389ds relies on the NSS framework,

so IMHO the question should be how to use p11-kit-trust with NSS..

I cannot help you much on this point as your question reached the limit of my knowledge about NSS, but if no one else has a better answer here are some hint:

while looking on the web, I found several pages that may interest you::
- https://www.dogtagpki.org/wiki/NSS_Fedora_Development
(The contact link may help you to get a more precise answer)

- https://fedoraproject.org/wiki/Changes/NSSLoadP11KitModules
(And especially the "How to test" section that may interest you/

Apparently p11-kit-proxy allows you to install and use p11kit module
but you also have to also install these module with modutil to be able to use this feature (maybe trying to load p11-kit-trust in nss with modutil will do the trick (but that is just a wild guess))

Good luck !

Pierre

On Sun, Oct 2, 2022 at 7:07 PM Graham Leggett <minfrin@sharp.fm> wrote:

Hi all,

389ds as shipped by RHEL9 is linked to NSS, which in theory supports PKCS11, but in practice I can't get to work.

Most specifically, when you display a 389ds NSS database using modutil, you see p11-kit-proxy (good), but it reports "There are no slots attached to this module" (bad).

Has anyone got an explanation as to why this might be?

[root@seawitch ~]# modutil -list -dbdir /etc/dirsrv/slapd-seawitch

Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.79
slots: 2 slots attached
status: loaded

slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

2. p11-kit-proxy
library name: p11-kit-proxy.so
uri: pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1
slots: There are no slots attached to this module
status: loaded
—————————————————————————————

At the very least the system and default CA databases should be visible, but alas no:

[root@seawitch ~]# p11-kit list-modules
p11-kit-trust: p11-kit-trust.so
library-description: PKCS#11 Kit Trust Module
library-manufacturer: PKCS#11 Kit
library-version: 0.24
token: System Trust
manufacturer: PKCS#11 Kit
model: p11-kit-trust
serial-number: 1
hardware-version: 0.24
flags:
token-initialized
token: Default Trust
manufacturer: PKCS#11 Kit
model: p11-kit-trust
serial-number: 1
hardware-version: 0.24
flags:
write-protected
token-initialized

Regards,
Graham
—
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

--

389 Directory Server Development Team