lambam80@xxxxxxxxxxx wrote:
Except for the fact that you have the directory manager clear text password hardcoded in ldap.conf :-(Hello everybody and, firstly, thanks for your continued support.I hope I've used the correct expression/jargon, ie:PAM-LDAP ? PAM-LDAP works with LDAPS and binding with cn=Directory Manager/password hardcoded in /etc/ldap.conf - great stuff.
This was configured using the GUI '/usr/sbin/system-config-authentication' - also great stuff ! Symbolic Link pointing to the CA certificate: Q1. I've searched the web but cannot find what purpose the symbolic link serves.It probably won't, unless you either hardcode the clear text password, or simply have no key password.----------------------------------------# ls -toalr /etc/openldap/cacerts-rw-r--r-- 1 root 1464 2009-03-10 12:21 authconfig_downloaded.pemlrwxrwxrwx 1 root 25 2009-03-10 12:21 123a856c.0 -> authconfig_downloaded.pem Client Certificate etc.--------------------------I'm now experimenting with client certificates and have found the following link: http://lists.fini.net/pipermail/ldap-interop/2005-April/000421.html and see the following example lines for the file /etc/ldap.conf:tls_cert /usr/share/ssl/certs/ldap.pem ($FN.pem in my case) tls_key /usr/share/ssl/certs/ldap.key.pem ($FN.key for me)Q2. ldap.key.pem: Is this file simply the $FN.key file created by the following command ? Will I have trouble if I specify '-passout' ? I assume it protects the file $FN.key.How will PAM-LDAP open the keystore if I have used a password ?
openssl req -newkey rsa:1024 -keyout ${FN}.key -out ${FN}.csr -passout pass:<password> 0<< EOF >/dev/null 2>&1<SNIP>Q3. ldap.pem: Is this file simply the $FN.pem file created by the following command ? openssl ca -in ${FN}.csr -out ${FN}.pem -days 7300 -keyfile $DIR/demoCA/private/cakey.pem \-cert $DIR/demoCA/cacert.pem \ -passin pass:<CA PASSWORD> << EOF2 >/dev/null 2>&1 <SNIP>Thanks again, cdlt,-----------------------------------------------------------------------------------Create a cool, new character for your Windows Live™ Messenger. Check it out <http://go.microsoft.com/?linkid=9656621>------------------------------------------------------------------------ -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
<<attachment: smime.p7s>>
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
