Hi Raimund Eimann, Am 09.07.2012 13:27, schrieb Ray: > Hi Alberto, > > I got it working, logical, actually: > > When you start out the way I did, i.e. fresh installation, then > running setup-ds-admin.pl, then setupssl2.sh both services (dirsrv > and > dirsrv-admin) will be restarable cleanly, i.e. they do actually run > (see details below in my initial posting). > > When you then run 389-console, all you need to make sure is > > 1) use the fqdn you configured in /etc/hosts and setup-ds-admin.pl > in the URI. > 2) change from http to https in the URI string. > > Please try that out. It works now for me. You should be able to log > into 389-console and populate you directory at this point. > > The next confusing thing (for the client side) that noone tells you > (because it's sooo obvious?! - I don't think so…) is that there are > two ldap.conf files to take care of: > > 1) /etc/openldap/ldap.conf (this one is for the openldap-clients > [ldapsearch et al.] > 2) /etc/pam_ldap.conf (this one takes care of the actual OS > user/group resolution > > Here are mine: > > /etc/openldap/ldap.conf: > > URI ldap://ldap.baar.intra.bbcomputing.org/ > BASE dc=bbcomputing,dc=org > TLS_CACERTDIR /etc/openldap/cacerts > TLS_REQCERT allow > > > > > /etc/pam_ldap.conf: > > base dc=bbcomputing,dc=org > uri ldaps://ldap.baar.intra.bbcomputing.org/ > ssl start_tls > tls_cacertdir /etc/openldap/cacerts > pam_password md5 > > > Now, in both configs you see the tls_cacertdir parameter. > > 1) Make sure you have that directory. > 2) After you ran setupssl.sh, you should find a certificate in > /etc/dirsrv/slapd-<server identifier you chose in > setup-ds-admin.pl>/cacert.asc. Copy this certificate: cp > /etc/dirsrv/slapd-<server identifier you chose in > setup-ds-admin.pl>/cacert.asc > /etc/openldap/cacerts/cacert_389_ldap.pem > > This is not enough. The clients will only pick up certs with > hashed filenames, so (not very prominent information in the docs > also): > > 3) cd /etc/openldap/cacerts/ > 4) ln -s cacert_389_ldap.pem `openssl x509 -in > cacert_389_ldap.pem -noout -hash`.0 > > You'll need to repeat that on each and every client you plan to use. > > After all this things should work. You can try > > id <username from your directory> > > And see whta comes back. Alternatively you can try > > "getent passwd" to see all users you configures in your directory, or > "getent group" for the groups > > ldapsearch -x -ZZ -h <fqdn of your ldap machine> should also work and > return all entries as ldifs. > > Let me know how the things are going I recently had same trouble with setupssl2.sh on RHEL 5.8 box with 389-console. Your post has been really useful to me. Everything you have mentioned in the last two posts in this topic have worked successfully for me. Thanks so much! 389-ds rocks as well as 389-console too :) Aero -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
