Re: SSL/TLS without the Admin Server?

David Barr <dafydd@xxxxxxxxxx> · Sat, 27 Apr 2013 18:15:43 -0700

Outstanding. Thanks!
db

On Apr 27, 2013, at 14:12, Trey Dockendorf <treydock@xxxxxxxxx> wrote:

On Sat, Apr 27, 2013 at 2:24 PM, David Barr <dafydd@xxxxxxxxxx> wrote:

Good Morning,

The Red Hat documentation only describes setting up the DS using the AS as the interface. Google searching, so far, has only boiled down to that documentation again.

Does anyone know of documentation to set up SSL/TLS on the DS using ldapadd/ldapmodify? The DS is headless, and I'm not in a place where setting up a remote X server would be well received.

Thanks!

David

--

David - Offbeat         http://dafydd.livejournal.com

dafydd - Online         http://pgp.mit.edu/

Battalion 4 - Black Rock City Emergency Services Department

        Integrity*Commitment*Communication*Support

----5----1----5----2----5----3----5----4----5----5----5----6----5----7--

Rene Descartes walks into his neighborhood watering hole. The publican sees him and asks, "Will you have your usual, sir?"

Descartes ponders a moment and replies, "I think not."

And promptly disappears...

--

David - Offbeat         http://dafydd.livejournal.com

dafydd - Online         http://pgp.mit.edu/

Battalion 4 - Black Rock City Emergency Services Department

        Integrity*Commitment*Communication*Support

----5----1----5----2----5----3----5----4----5----5----5----6----5----7--

Rene Descartes walks into his neighborhood watering hole. The publican sees him and asks, "Will you have your usual, sir?"

Descartes ponders a moment and replies, "I think not."

And promptly disappears...

--

389 users mailing list

389-users@xxxxxxxxxxxxxxxxxxxxxxx

https://admin.fedoraproject.org/mailman/listinfo/389-users

You don't need X on the 389 server.

$LDAP_SERVER - my ldap server's fqdn

/usr/bin/389-console -a https://$LDAP_SERVER:9830 -u "cn=Directory Manager" &

The LDIF below is based on this document [1] and what I have in my SSL/TLS enabled 389 server.

dn: cn=config
changetype: modify
replace: nsslapd-secureport
nsslapd-secureport: 636
-
replace: nssldap-security
nssldap-security: on
-
replace: nsslapd-ssl-check-hostname
nsslapd-ssl-check-hostname: off

dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on
-
replace: nsSSL3Ciphers
nsSSL3Ciphers: -rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5,+rsa_rc4_40_md5,
 +rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des

 _sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_wit
 h_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha,+tls_rsa_aes_128_sha,+tls
 _rsa_aes_256_sha
-
replace: nsSSLClientAuth
nsSSLClientAuth: allowed

I run these LDIFs using Apache Directory Studio, but the same file should work using examples from [1].

- Trey

[1] - http://directory.fedoraproject.org/wiki/Howto:SSL#Starting_the_Server_with_SSL_enabled
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

--

David - Offbeat		http://dafydd.livejournal.com
dafydd - Online		http://pgp.mit.edu/
Battalion 4 - Black Rock City Emergency Services Department
	Integrity*Commitment*Communication*Support

----5----1----5----2----5----3----5----4----5----5----5----6----5----7--

Rene Descartes walks into his neighborhood watering hole. The publican sees him and asks, "Will you have your usual, sir?"

Descartes ponders a moment and replies, "I think not."

And promptly disappears...

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users