[389-users] Help with setiting up Password Policy and SSL/TLS

"Fulda, Paul R (IS)" <Paul.Fulda@xxxxxxx> · Thu, 14 Jan 2010 12:56:25 -0600

Title: Help with setiting up Password Policy and SSL/TLS

Hi,

I am trying to configure the Password Policy for my users and read that you would not be able to use the Policy unless you set up SSL/TLS. 

I am using 389 Server version 1.2.2.   Also I am running the Server on Fedora 11 64 bit.  All clients are also Fedora 11 64 bit.

I followed the instructions in setting up SSL here  at  http://directory.fedoraproject.org/wiki/Howto:SSL

I ran the setupssl2.sh script and it completed with no errors.  In the 389 Admin Console I could see the certificates for both the Admin Server and DS Server in the 

Manage Certificates screens.

Also, I do not want to use SSL for the Admin Server or the Admin Console.  I just want to be able to use it for user authentication so the Password Policy works.

Bottom line is that I cannot get both features (Password Policies and SSL) working.  Any help would be greatly appreciated.

Up to this point here are my questions:

1)       In the Directory Server GUI from the 389 Admin Console what certificate do I use to populate the Certificate field in the Encryption Tab?

There are 3 choices it provides after running the sslsetup2.sh script which are CA Certificate, server-cert, and server-Cert.

2)      In the Client Authentication Block in the same Encryption Tab  as #1 above, I have selected “Require client authentication”.  Is this correct?

Is this how you force the Directory Server to use only port 636 for secure communications?  If not, how do you do that?

3)      What are the differences between /etc/openldap/ldap.conf   and   /etc/ldap.conf?  What are the client configurations needed to make this work?

The only ldap.conf file that http://directory.fedoraproject.org/wiki/Howto:SSL talks about configuring is the /etc/openldap/ldap.conf file.

My /etc/openldap/ldap.conf file looks like this:

URI ldap://hadmina.eidev.ngc.com/

BASE dc=eidev, dc=ngc, dc=com

TLS_CACERT /etc/openldap/cacerts

TLS_REQCERT allow

4)      How do you get the certificate on the client machines?  What I did was copy from the server the cacert.asc file that is located in /etc/dirsrv/slapd-hadmina

to the client machine in /etc/openldap/cacerts directory.  Is this correct?

Thanks and I hope there is someone out there that can help me get this working!

Paul

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users