Thanks regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Craig White Sent: Wednesday, 5 December 2007 4:42 p.m. To: General discussion list for the Fedora Directory server project. Subject: RE: problem with cert for ssl on RHAS5 On Wed, 2007-12-05 at 16:12 +1300, Steven Jones wrote: > 8><-------- > > > > So what did I do wrong? > ---- > probably should only use uri and not host in /etc/openldap/ldap.conf > > yep, I can take that out.... > > And it's clear that > > ldap.vuw.ac.nz != cn=vuwunicvfdsm001.vuw.ac.nz (certificate) > > Sorry I fail to see it as that clear (until now you explain it anyway!) > > ....Working through the FDS/RDS documentation I seem to have failed to > notice that it clearly (if at all???) explains what cn= should equal or > indeed the setting in the ldap.conf needs to be the same....in terms of > DNS they do equal as ldap is a CNAME of vuwunicvfdsm001.... > > The advantage of using a CNAME is I can upgrade the system and to a > simple CNAME change to replace the servers.... > > Thanks, I have changed, > > #uri ldap://ldap.vuw.ac.nz/ > > To, > > uri ldap://vuwunicvfdsm001.vuw.ac.nz/ > > So I now have for /etc/openldap/ldap.conf, > > ========== > # http://www.padl.com > #URI ldap://ldap.vuw.ac.nz > base dc=vuw,dc=ac,dc=nz > pam_password md5 > BASE dc=vuw,dc=ac,dc=nz > #tls_cacertfile /etc/openldap/cacerts/ca.crt > #TLS_REQCERT allow > TLS_REQCERT never > #host ldap.vuw.ac.nz > #host vuwunicvfdsm001.vuw.ac.nz > #ssl start_tls > #nss_base_passwd ou=People,dc=vuw,dc=ac,dc=nz > #nss_base_shadow ou=People,dc=vuw,dc=ac,dc=nz > > > uri ldap://vuwunicvfdsm001.vuw.ac.nz/ > #uri ldap://ldap.vuw.ac.nz/ > ssl no > tls_cacertdir /etc/openldap/cacerts > ========= > > and a working ldapsearch, > > ldapsearch -x -ZZ '(uid=jonesst1)' > > Gives me the correct answer.... ---- just a thought (and it may be in the cert documentation for fds) sometimes you can use subjectAltName to add more names/aliases for the same system and then there isn't the collision when using the certificate. I know that the openldap client software is fine with subjectAltName entries Lastly, you probably can add to both /etc/ldap.conf and /etc/openldap/ldap.conf ssl start_tls and it should automatically use tls... ldapsearch -x '(uid=jonesst1)' would be the same as if you added -ZZ Craig -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
