[389-users] PAM-LDAP LDAPS (Linux Login) with PAM-LDAP using a client certificate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello everybody and, firstly, thanks for your continued support.

 

I hope I've used the correct expression/jargon, ie:PAM-LDAP ?

 

PAM-LDAP works with LDAPS and binding with cn=Directory Manager/password hardcoded in /etc/ldap.conf - great stuff.

This was configured using the GUI '/usr/sbin/system-config-authentication' - also great stuff !

 

Symbolic Link pointing to the CA certificate: Q1. I've searched the web but cannot find what purpose the symbolic link serves.

----------------------------------------

 

# ls -toalr /etc/openldap/cacerts
-rw-r--r-- 1 root 1464 2009-03-10 12:21 authconfig_downloaded.pem
lrwxrwxrwx 1 root   25 2009-03-10 12:21 123a856c.0 -> authconfig_downloaded.pem

 

 

Client Certificate etc.

--------------------------

I'm now experimenting with client certificates and have found the following link:

 

http://lists.fini.net/pipermail/ldap-interop/2005-April/000421.html

 

and see the following example lines for the file /etc/ldap.conf:

tls_cert   /usr/share/ssl/certs/ldap.pem ($FN.pem in my case)
tls_key    /usr/share/ssl/certs/ldap.key.pem ($FN.key for me)

 

Q2. ldap.key.pem: Is this file simply the $FN.key file created by the following command ?

Will I have trouble if I specify '-passout' ? I assume it protects the file $FN.key.
How will PAM-LDAP open the keystore if I have used a password ?

 

openssl req -newkey rsa:1024 -keyout ${FN}.key -out ${FN}.csr -passout pass:<password> 0<< EOF >/dev/null 2>&1
<SNIP>

 

Q3. ldap.pem: Is this file simply the $FN.pem file created by the following command ?

 

openssl ca -in ${FN}.csr -out ${FN}.pem -days 7300 -keyfile $DIR/demoCA/private/cakey.pem \
        -cert $DIR/demoCA/cacert.pem \
        -passin pass:<CA PASSWORD> << EOF2 >/dev/null 2>&1
<SNIP>

 

Thanks again, cdlt, 

-----------

 

 


 

_________________________________________________________________
Create a cool, new character for your Windows Live? Messenger. 
http://go.microsoft.com/?linkid=9656621
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20090512/ac6fdf5b/attachment.html
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux