Fedora directory users - Jan 2006 - Re: Fedora-directory-users Digest, Vol 8, Issue 15

fedora-directory-users-request@redhat.com wrote:
> Date: Tue, 10 Jan 2006 22:32:53 +0200
> From: Mike Jackson <mj@sci.fi>
> Subject: Re: [Fedora-directory-users] posixGroup location best
> 	practices
>
> Susan wrote:
>   
>> Hi.  Quick question, where in the tree do I stick posixGroups?
>>
>> For now, I''ll be authenticating linux machines only, so every
uid=gid.  Should I create a OU
>> called Groups or something and put all the groups in there?  Or have a
uid under gid or what?  How
>> do you guys do it?
>>     
>
> Sure, just create some OU entry and put the group entries under that. 
> That''s the usual way. The reason for grouping them together is in
case
> you want to restrict your search base, for efficiency and performance - 
> not that it matters much in small setups.
>   
For people migrating from traditional passwd and group databases it does 
make sense to keep them colocated in the directory as well. And because 
users and groups represent two different namespaces in Unix, it is 
essential to keep them separate in the directory (ou=users and 
ou=groups). (Contrast this with Microsoft, where users and groups all 
reside in the same namespace. Very annoying.)
> Date: Tue, 10 Jan 2006 21:58:07 +0100
> From: Jo De Troy <jo.de.troy@gmail.com>
> Subject: Re: [Fedora-directory-users] password history question
>
> Susan,
>
> I thought I needed the cacert line in /etc/openldap/ldap.conf to point the
> ldap client to  the CA cert we trust,  otherwise we might not trust the
> server certificate being signed by the CA.
>
> Thanks again,
> Jo
>   
That''s correct, you always need the CA cert on all of the servers and 
clients. (Unless you''re using anonymous cipher suites, in which case
you
don''t need any certs at all. But that''s pretty reckless.)

-- 
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/

> > I thought I needed the cacert line in /etc/openldap/ldap.conf to point
the
> > ldap client to  the CA cert we trust,  otherwise we might not trust
the
> > server certificate being signed by the CA.
> >
> > Thanks again,
> > Jo
> >   
> That''s correct, you always need the CA cert on all of the servers
and
> clients. (Unless you''re using anonymous cipher suites, in which
case you
> don''t need any certs at all. But that''s pretty reckless.)
I have server-side, self-generated, self-signed certs.  None of those certs
exist on any of the
clients, all my ldap traffic is ssl-encrypted over 636, no problem.  Is that
what you mean by
"anonymous cipher suites"?  If so, why is that reckless?  I
don''t really care if the clients
misrepresent themselves, I just care that the server doesn''t.

Perhaps I''m not understanding what you are saying....?

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com