[Fedora-directory-commits] mod_revocator/docs mod_revocator.html, 1.1, 1.2

Robert Crittenden (rcritten) fedora-directory-commits at redhat.com
Mon Oct 16 18:17:16 UTC 2006


Author: rcritten

Update of /cvs/dirsec/mod_revocator/docs
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv19588/docs

Modified Files:
	mod_revocator.html 
Log Message:
Add bit about OpenLDAP support
Include some troubleshooting documentation and a little bit more on
configuration



Index: mod_revocator.html
===================================================================
RCS file: /cvs/dirsec/mod_revocator/docs/mod_revocator.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- mod_revocator.html	5 Sep 2006 19:58:26 -0000	1.1
+++ mod_revocator.html	16 Oct 2006 18:17:14 -0000	1.2
@@ -54,7 +54,8 @@
 3.9.3 or higher<br>
   </li>
   <li>Mozilla <a href="http://www.mozilla.org/directory/csdk.html">LDAP
-SDK</a> 5.15 or higher</li>
+SDK</a> 5.15 or higher or OpenLDAP 2.2.29 or higher<br>
+  </li>
   <li>Apache development package(s)</li>
   <li><a href="http://directory.fedora.redhat.com/wiki/Mod_nss">mod_nss</a><br>
   </li>
@@ -114,6 +115,13 @@
       <td>--with-ldapsdk-lib=PATH</td>
       <td>Mozilla LDAP SDK library directory</td>
     </tr>
+    <tr>
+      <td style="vertical-align: top;">--enable-openldap<br>
+      </td>
+      <td style="vertical-align: top;">Use OpenLDAP instead of
+the  Mozilla LDAP SDK<br>
+      </td>
+    </tr>
   </tbody>
 </table>
 <br>
@@ -250,8 +258,41 @@
 <code>CRLFile http://somehost.example.com/MasterCRL.crl;60;60 </code><br>
 <code>CRLAgeCheck off </code><br>
 <code>CRLUpdateCritical off
+<br>
+</code></div>
+<h1>Operation<br>
+</h1>
+In order for the CRL to be loaded you need to trust the issuer. This is
+often issued by a separate certificate on the CA, so you may need to
+trust multiple certificates. If the CRL is signed by an unknown issuer
+or is not trusted you will get the error message:<br>
+<br>
+<code>Error updating CRL http://ca.example.com/MasterCRL.crl no subject
+: Unknown issuer for this CRL<br>
 </code><br>
-</div>
+In order to load this CRL you will need to import and trust the CA
+and/or OCSP signing certificate. Save the certificate(s) into text
+files and use the NSS certutil command to import it. Note that your
+nickname (-n) and database path (-d) may differ:<br>
+<br>
+<code>% certutil -A -n "CA" -d /etc/httpd/alias -t CT,, -a -i
+/path/to/ca.crt<br>
+</code><br>
+<code>% certutil -A -n "OCSP cert" -d /etc/httpd/alias -t CT,, -a -i
+/path/to/ocsp.crt</code><br>
+<br>
+The default Apache LogLevel is warn. This will log basic information
+about the  module and will report the first successful retrieval
+of each CRL. Subsequent retrievals are only logged in the LogLevel is
+set to debug.<br>
+<br>
+An example log is:<br>
+<br>
+<code>Successfully downloaded CRL at URL
+http://ca.example.com/MasterCRL.crl, subject = CN=Certificate
+Manager,OU=Engineering,O=Example,C=US, lastupdate = Thu Oct 12 15:39:19
+2006, nextupdate = Thu Oct 12 19:39:19 2006<br>
+Revocation subsystem initialized</code><br>
 <h1><a name="Developer_Information"></a>Developer Information </h1>
 This module uses some internals from NSS. This is normally a big no-no
 but there was no other way to get around it. As such a private copy of




More information about the Fedora-directory-commits mailing list