Hi Arpit,
Thanks for your detailed steps. I followed it but got below error on the secondary ldap server on restart.
I have copied the outputs and steps I followed in the below pastebin.
Looks like the the certificate was not imported properly not sure why. Everywhere I have the same key, still I get annoying problem that my client only works with only ldap server.
Say If I manage to make it work with ldap01 it just won't work with ldap02 and vice verse and get the annoying "not trusted" error. Same problem getting in setting up the replication over TLS. I am using SSD on client side and give below param.
On Sun, Jan 6, 2013 at 2:24 AM, Arpit Tolani <arpittolani@xxxxxxxxx> wrote:
Hello
How about creating one CA cert & signing all RHDS server from same CA,
On Sun, Jan 6, 2013 at 6:14 AM, Chandan Kumar <chandank.kumar@xxxxxxxxx> wrote:
> Sorry for confusion, "server clients certs" means generating certs for
> client. These are exact same steps from the Redhat manuals.
>
> This works if I copy this cacert.asc file to my client machines. But how to
> get clients both on two LDAP servers ? As an example, if I specify both ldap
> server names say ldap01.net ldap02.net and if one goes down it will try to
> get the authentication work from the secondary one.
>
> What am I doing is, Generating the cacert.asc from one server and importing
> it to the second server and copying the same cacert.asc across all the
> client machines.
>
Then all you have to do is to import only one CA in clients.
Create a CA Cerfificate
# certutil -S -n "CA certificate" -s "cn=CA
cert,dc=directory,dc=example,dc=com" -2 -x -t "CT,," -m 1000 -v 720 -d
. -k rsa
Make sure you say yes to "Is this a CA certificate [y/N]?" and
everything else will be default.
Next we create your Server Cert.
Important - Make sure your cn is your FQDN of this server.
Create cert for ldap1.example.com on ldap1.example.com
# certutil -S -n "directory-Server-Cert-1" -s "cn=ldap1.example.com"
-c "CA certificate" -t "u,u,u" -m 1001 -v 720 -d . -k rsa
Create cert for ldap2.example.com on ldap1.example.com
# certutil -S -n "directory-Server-Cert-2" -s "cn=ldap2.example.com"
-c "CA certificate" -t "u,u,u" -m 1002 -v 120 -d . -k rsa
Then check to make sure it looks ok
# certutil -L -n "directory-Server-Cert-2" -d .
Export keys & certs for ldap2.example.com
# pk12util -d . -o server2.p12 -n directory-Server-Cert-2
# certutil -L -d . -n "CA certificate" -a > cacert.asc
Copy the 'server2.p12' and 'cacert.asc' created above to the 2nd Red
Hat Directory Server.
Create your public ca for your clients.
# certutil -d . -L -n "CA certificate" -a > my-public-ca.asc
While logged in to the 2nd RHDS i.e. ldap2.example.com, run the following:
# service dirsrv stop
# cd /etc/disrv/slapd-INSTANCE2/
# mv /path/to/server2.p12 /etc/dirsrv/slapd-INSTANCE2/
# mv /path/to/cacert.asc /etc/dirsrv/slapd-INSTANCE2/
# pk12util -d . -i server2.p12
# certutil -A -d . -n "CA certificate" -t "CT,," -a -i cacert.asc
# service dirsrv start
Hope that helps.
Regards
Arpit Tolani
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users