Re: Multiple 389 Servers for Clients Using SSSD

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Sorry for confusion, "server clients certs" means generating certs for client. These are exact same steps from the Redhat manuals. 

This works if I copy this cacert.asc file to my client machines. But how to get clients both on two LDAP servers ? As an example, if I specify both ldap server names say ldap01.net ldap02.net and if one goes down it will try to get the authentication work from the secondary one.

What am I doing is, Generating the cacert.asc from one server and importing it to the second server and copying the same cacert.asc across all the client machines.




--
http://about.me/chandank


On Sat, Jan 5, 2013 at 4:37 PM, Orion Poplawski <orion@xxxxxxxxxxxxx> wrote:
On 01/04/2013 05:34 PM, Chandan Kumar wrote:
Hello All,

I was wondering if anyone could help me with this setup. I have would
like to have 2 ldap servers specified on the clients using SSSD.

Without TLS/Encryption (PAD NSS) it works just fine, however, the moment
I turn on TLS/StratTLS only one server works whereas other does not and
gives the "Certification Not trusted" error.

Here what I did.

certutil -S -n "CA certificate" -s "cn=My Org CA cert,dc=my,dc=net" -2
-x -t "CT,," -m 1000 -v 120 -d . -k rsa -f /tmp/pwdfile

# Generate Directory server clients certs
certutil -S -n "Server-Cert" -s "cn=ldap.my.net <http://ldap.my.net>" -c

"CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -k rsa -f /tmp/pwdfile

Not sure what you mean by "server clients certs" here.  This is the server cert for this server.  I would think the subject name should just be "ldap.my.net", but maybe this form works too.  You also need to do this on your second server using its DNS name.


# Export it for ldap clients and other servers
certutil -d . -L -n "CA certificate" -a > cacert.asc

Then I imported the same cacert.asc file to another 389 server using
"certutil". And copied it at the client as well.

I would see the certificate got imported in the GUI console but due to
some reason everytime I query from the client to secondary server (where
I imported the key) it just does not work.

Would appreciate any help. Not sure what step I am using or what am I
doing wrong.



--
Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA/CoRA Division                    FAX: 303-415-9702
3380 Mitchell Lane                  orion@xxxxxxxxxxxxx
Boulder, CO 80301              http://www.cora.nwra.com
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux