Fulda, Paul R (IS) wrote: > > Hi, > > I am trying to configure the Password Policy for my users and read > that you would not be able to use the Policy unless you set up SSL/TLS. > > I am using 389 Server version 1.2.2. Also I am running the Server on > Fedora 11 64 bit. All clients are also Fedora 11 64 bit. > > I followed the instructions in setting up SSL here at > _http://directory.fedoraproject.org/wiki/Howto:SSL_ > > I ran the setupssl2.sh script and it completed with no errors. In the > 389 Admin Console I could see the certificates for both the Admin > Server and DS Server in the > > Manage Certificates screens. > > Also, I do not want to use SSL for the Admin Server or the Admin > Console. I just want to be able to use it for user authentication so > the Password Policy works. > > Bottom line is that I cannot get both features (Password Policies and > SSL) working. Any help would be greatly appreciated. > > Up to this point here are my questions: > > 1) In the Directory Server GUI from the 389 Admin Console what > certificate do I use to populate the Certificate field in the > Encryption Tab? > > There are 3 choices it provides after running the > sslsetup2.sh script which are CA Certificate, server-cert, > and server-Cert. > For Directory Server, use Server-Cert For Admin Server, use server-cert CA Certificate is the CA certificate > > 2) In the Client Authentication Block in the same Encryption Tab as #1 > above, I have selected “Require client authentication”. Is this correct? > no > > Is this how you force the Directory Server to use only > port 636 for secure communications? > no > > If not, how do you do that? > We don't yet have a UI for that, but see the new minssf feature in 389-ds-base-1.2.3 and later http://directory.fedoraproject.org/wiki/Roadmap#389_Directory_Server_1.2.3_-_October_7.2C_2009 > > 3) What are the differences between /etc/openldap/ldap.conf and > /etc/ldap.conf? What are the client configurations needed to make this > work? > > The only ldap.conf file that > _http://directory.fedoraproject.org/wiki/Howto:SSL_ talks > about configuring is the /etc/openldap/ldap.conf file. > > My /etc/openldap/ldap.conf file looks like this: > > URI ldap://hadmina.eidev.ngc.com/ > > BASE dc=eidev, dc=ngc, dc=com > > TLS_CACERT /etc/openldap/cacerts > > TLS_REQCERT allow > /etc/openldap/ldap.conf is only used by the openldap command line tools such as ldapsearch, ldapmodify, et. al. - see man ldap.conf /etc/ldap.conf is used by nss_ldap/pam_ldap - see man pam_ldap > > 4) How do you get the certificate on the client machines? What I did > was copy from the server the cacert.asc file that is located in > /etc/dirsrv/slapd-hadmina > > to the client machine in /etc/openldap/cacerts directory. > Is this correct? > Yes. > > Thanks and I hope there is someone out there that can help me get this > working! > > Paul > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
