On 01/14/2010 10:56 AM, Fulda, Paul R (IS) wrote: > > Hi, > > I am trying to configure the Password Policy for my users and read > that you would not be able to use the Policy unless you set up SSL/TLS. > Where did you read this? SSL/TLS is not required to use the password policy features. > > I am using 389 Server version 1.2.2. Also I am running the Server on > Fedora 11 64 bit. All clients are also Fedora 11 64 bit. > > I followed the instructions in setting up SSL here at > _http://directory.fedoraproject.org/wiki/Howto:SSL_ > > I ran the setupssl2.sh script and it completed with no errors. In the > 389 Admin Console I could see the certificates for both the Admin > Server and DS Server in the > > Manage Certificates screens. > > Also, I do not want to use SSL for the Admin Server or the Admin > Console. I just want to be able to use it for user authentication so > the Password Policy works. > > Bottom line is that I cannot get both features (Password Policies and > SSL) working. Any help would be greatly appreciated. > > Up to this point here are my questions: > > 1) In the Directory Server GUI from the 389 Admin Console what > certificate do I use to populate the Certificate field in the > Encryption Tab? > > There are 3 choices it provides after running the > sslsetup2.sh script which are CA Certificate, server-cert, > and server-Cert. > The one named "Server-Cert" should be used for the Directory Server. > > 2) In the Client Authentication Block in the same Encryption Tab as > #1 above, I have selected "Require client authentication". Is this > correct? > > Is this how you force the Directory Server to use only > port 636 for secure communications? If not, how do you do > that? > No. Client authentication refers to using a client certificate to authenticate as opposed to a bind DN and password. You most likely don't want to do this. If you truly want to only use port 636, you can set nsslapd-listenport to "0", but all of your clients will be required to use LDAPS over port 636. You should be really sure that this is what you want. > > 3) What are the differences between /etc/openldap/ldap.conf and > /etc/ldap.conf? What are the client configurations needed to make > this work? > /etc/openldap/ldap.conf is the OpenLDAP client config file. /etc/ldap.conf is the config file for nss_ldap and pam_ldap. > > The only ldap.conf file that > _http://directory.fedoraproject.org/wiki/Howto:SSL_ talks > about configuring is the /etc/openldap/ldap.conf file. > > My /etc/openldap/ldap.conf file looks like this: > > URI ldap://hadmina.eidev.ngc.com/ > > BASE dc=eidev, dc=ngc, dc=com > > TLS_CACERT /etc/openldap/cacerts > > TLS_REQCERT allow > > 4) How do you get the certificate on the client machines? What I did > was copy from the server the cacert.asc file that is located in > /etc/dirsrv/slapd-hadmina > > to the client machine in /etc/openldap/cacerts directory. > Is this correct? > > Thanks and I hope there is someone out there that can help me get this > working! > > Paul > > > -- > 389 users mailing list > 389-users at lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20100114/63cefdb7/attachment-0001.html
