Re: How to export CA certificate into client from server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On Sat, Jul 28, 2012 at 4:25 PM, fosiul alam <expertalert@xxxxxxxxx> wrote:
Hi
Dont know how to reply on same thread.

Just click on reply & leave the subject of mail un-touched
 

but thank for  quick reply.

its case sensitive. so I created the cert file
and i put that one into client , and i configured as documentated

/etc/openldap/ldap.conf

URI ldap://ldap-2.fosiul.lan/
BASE dc=fosiul,dc=lan
TLS_CACERTDIR /etc/openldap/cacerts/
TLS_REQCERT allow
#TLS_CACERT /etc/openldap/cacerts/cacert.asc


and in /etc/ldap.conf
base dc=fosiul,dc=lan
uri ldap://ldap-2.fosiul.lan/
ssl start_tls
tls_cacertdir /etc/openldap/cacerts/

#TLS_CACERT /etc/openldap/cacerts/cacert.asc
pam_password md5


You should use pam_password clear because Your password is being hashed by your client system before it is sent to the Directory Server.  This is not allowed since the server would have no way to enforce it's password policy against a pre-hashed password.  You need to configure /etc/ldap.conf to send the clear text password to the LDAP server.  You should use SSL/TLS to protect the password in transit (which you already have).
 


and i can see it created another file in /etc/openldap/cacerts/ directory like ths
5be5959f.0     ds-ca.crt

and when i do like this

id usrname

it does not find the user and i dont see any error in /var/log/message

so its like its connecting to ldap. .but it does not get any information

do i have to say Cn="Directory Manager" some where in ldap.conf file ??

thanks for your help.

Fosiul

but in clients , log file


Copy the my-public-ca.asc file in /etc/openldap/cacerts
# cp my-public-ca.asc /etc/openldap/cacerts
# cacertdir_rehash /etc/openldap/cacerts

This will create file like below. (Check for the soft link file ending with .0)

[root@atolani cacerts]# ll
total 4
lrwxrwxrwx. 1 root root  16 Apr 24 11:16 2c47a1a7.0 -> my-public-ca.asc
-rw-r--r--. 1 root root 851 Apr  9 01:13 my-public-ca.asc

Now try to run ldapsearch using -ZZ (for start_tls) Make sure you give the exact hostname which you used while creating the cert in this step.
"certutil -S -n "server-cert" -s "cn=directory.example.com""

Something like this.

ldapsearch -x -ZZ -D "cn=Directory manager" -w password -h directory.example.com -b "dc=example,dc=com"

If this works, Then your TLS is working. Now try to configure pam_ldap with tls.

Regards
Arpit Tolani



--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux