On 01/04/2013 05:34 PM, Chandan Kumar wrote:
Hello All, I was wondering if anyone could help me with this setup. I have would like to have 2 ldap servers specified on the clients using SSSD. Without TLS/Encryption (PAD NSS) it works just fine, however, the moment I turn on TLS/StratTLS only one server works whereas other does not and gives the "Certification Not trusted" error. Here what I did. certutil -S -n "CA certificate" -s "cn=My Org CA cert,dc=my,dc=net" -2 -x -t "CT,," -m 1000 -v 120 -d . -k rsa -f /tmp/pwdfile # Generate Directory server clients certs certutil -S -n "Server-Cert" -s "cn=ldap.my.net <http://ldap.my.net>" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -k rsa -f /tmp/pwdfile
Not sure what you mean by "server clients certs" here. This is the server cert for this server. I would think the subject name should just be "ldap.my.net", but maybe this form works too. You also need to do this on your second server using its DNS name.
# Export it for ldap clients and other servers certutil -d . -L -n "CA certificate" -a > cacert.asc Then I imported the same cacert.asc file to another 389 server using "certutil". And copied it at the client as well. I would see the certificate got imported in the GUI console but due to some reason everytime I query from the client to secondary server (where I imported the key) it just does not work. Would appreciate any help. Not sure what step I am using or what am I doing wrong.
-- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA/CoRA Division FAX: 303-415-9702 3380 Mitchell Lane orion@xxxxxxxxxxxxx Boulder, CO 80301 http://www.cora.nwra.com -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
