Reading through the http://www.csse.uwa.edu.au/~ashley/fedora-ds/fedora-ds-26072006.html document.... 8><--------- 3.3 Binding Linux/Unix Machines to LDAPs First of all for your client LDAP machine to connect via LDAPs you need to have the Certificate Authority file installed on your client which was generated for the Directory Server to allow it to recognize that the SSL connection is valid. 8><--------- So I have all these choices.... [root@vuwunicvfdsm001 cacerts]# cd /opt/fedora-ds/alias [root@vuwunicvfdsm001 alias]# ls -l total 640 -rw-r--r-- 1 nobody nobody 193 Sep 14 11:31 addRSA.ldif -rw------- 1 nobody nobody 16384 Sep 13 15:33 admin-serv-secmod.db -rw------- 1 nobody nobody 65536 Sep 14 11:19 admin-serv-vuwunicvfdsm001-cert8.db -rw------- 1 nobody nobody 16384 Sep 14 11:19 admin-serv-vuwunicvfdsm001-key3.db -rw-r--r-- 1 nobody nobody 619 Sep 14 11:13 cacert.asc -rw------- 1 nobody nobody 1554 Sep 14 11:10 cacert.pfx -rwxr-xr-x 1 nobody nobody 239744 Nov 8 2006 libnssckbi.so -rw-r--r-- 1 nobody nobody 62 Sep 14 09:44 noise.txt -rw------- 1 nobody nobody 65536 Sep 13 15:43 orig-slapd-vuwunicvfdsm001-cert8.db -rw------- 1 nobody nobody 16384 Sep 13 15:43 orig-slapd-vuwunicvfdsm001-key3.db -rw-r--r-- 1 nobody nobody 9 Sep 13 15:43 pwdfile.txt -rw------- 1 nobody nobody 16384 Sep 14 13:37 secmod.db -rw------- 1 nobody nobody 2044 Sep 14 11:11 servercert.pfx -rw------- 1 nobody nobody 65536 Sep 14 10:29 slapd-serverID-cert8.db -rw------- 1 nobody nobody 16384 Sep 14 10:29 slapd-serverID-key3.db -rw-r--r-- 1 nobody nobody 0 Sep 14 13:35 slapd-serverID-pin.txt -rw------- 1 nobody nobody 65536 Sep 14 11:11 slapd-vuwunicvfdsm001-cert8.db -rw------- 1 nobody nobody 16384 Sep 14 11:11 slapd-vuwunicvfdsm001-key3.db -r-------- 1 nobody nobody 35 Sep 14 13:36 slapd-vuwunicvfdsm001-pin.txt -rw-r--r-- 1 nobody nobody 693 Sep 14 11:23 ssl_enable.ldif So is this the file I am meant to copy over? -rw-r--r-- 1 root root 619 Sep 17 16:27 5be5959f.0 -rw-r--r-- 1 root root 619 Sep 17 16:27 cacert.asc [root@vuwunicvfwall02 cacerts]# ldapsearch -x -ZZ '(uid=jonesst1)' ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed [root@vuwunicvfwall02 cacerts]# pwd /etc/openldap/cacerts [root@vuwunicvfwall02 cacerts]# If so it is failing, but at least it appears it is consistant with the Debian client which also has a -11 error....at least I think so..... regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 -----Original Message----- From: fedora-directory-users-bounces@xxxxxxxxxx [mailto:fedora-directory-users-bounces@xxxxxxxxxx] On Behalf Of Steven Jones Sent: Monday, 17 September 2007 3:01 p.m. To: General discussion list for the Fedora Directory server project. Subject: rhas4 Setting up clients for ssl only? I seem unable to get this to work in anything but simple mode..... Here is my ldap.conf for RHAS4, URI ldap://ldap.vuw.ac.nz #host 130.195.87.249 base dc=vuw,dc=ac,dc=nz #ssl no #ssl on pam_password md5 #HOST 130.195.87.249 BASE dc=vuw,dc=ac,dc=nz TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow Trying "ssl on" breaks ssh So has anyone got an example ldap.conf? Since Debian also wont ssl, it is possible the server is the issue..... regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 -----Original Message----- From: fedora-directory-users-bounces@xxxxxxxxxx [mailto:fedora-directory-users-bounces@xxxxxxxxxx] On Behalf Of Steven Jones Sent: Monday, 17 September 2007 10:20 a.m. To: General discussion list for the Fedora Directory server project. Subject: RE: Setting up clients for ssl only? 8><---- Uh.....this means not a thing....where and how is it set? On the server? Client? Ie What and where is dse.ldif? > Steven Jones wrote: > Is there a way to force clients to only connect via ssl? > You can set the nsslapd-port attribute in cn=config in dse.ldif to 0. 8><---- regards Steven -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
