<html> <head> <style> .hmmessage P { margin:0px; padding:0px } body.hmmessage { font-size: 10pt; font-family:Verdana } </style> </head> <body class='hmmessage'> Rich, hello and, as ever, thanks for the helpful reply. One very quick question and a quick technote 'for the record'. < You write, '... It probably won't, unless you either hardcode the clear text password ...' Q1: Hardcode where ? Is there an attribute in /etc/ldap.conf specifically for the keyfile password ? < You write, '... or simply have no key password ...' For the record, I reckon I need the '-noDES' option if I don't want a key file password: openssl req -newkey rsa:1024 -keyout ${FN}.key -out ${FN}.csr -days 7300 -nodes <<EOF ... EOF For reference: <A href="http://www.openssl.org/docs/apps/req.html">http://www.openssl.org/docs/apps/req.html</A># I'll let you all know if my PAM-LDAP Linux login works when using client-certificates for binding to LDAP. Thanks again, ----- > Date: Tue, 12 May 2009 09:31:16 -0600 > From: rmeggins@redhat.com > To: fedora-directory-users@redhat.com > CC: lambam80@hotmail.com > Subject: Re: [389-users] PAM-LDAP LDAPS (Linux Login) with PAM-LDAP using a client certificate > > lambam80@hotmail.com wrote: > > Hello everybody and, firstly, thanks for your continued support. > > > > I hope I've used the correct expression/jargon, ie:PAM-LDAP ? > > > > PAM-LDAP works with LDAPS and binding with cn=Directory > > Manager/password hardcoded in /etc/ldap.conf - great stuff. > Except for the fact that you have the directory manager clear text > password hardcoded in ldap.conf :-( > > This was configured using the GUI > > '/usr/sbin/system-config-authentication' - also great stuff ! > > > > Symbolic Link pointing to the CA certificate: Q1. I've searched the > > web but cannot find what purpose the symbolic link serves. > > ---------------------------------------- > > > > # ls -toalr /etc/openldap/cacerts > > -rw-r--r-- 1 root 1464 2009-03-10 12:21 authconfig_downloaded.pem > > lrwxrwxrwx 1 root 25 2009-03-10 12:21 123a856c.0 -> > > authconfig_downloaded.pem > > > > > > Client Certificate etc. > > -------------------------- > > I'm now experimenting with client certificates and have found the > > following link: > > > > http://lists.fini.net/pipermail/ldap-interop/2005-April/000421.html > > > > and see the following example lines for the file /etc/ldap.conf: > > tls_cert /usr/share/ssl/certs/ldap.pem ($FN.pem in my case) > > tls_key /usr/share/ssl/certs/ldap.key.pem ($FN.key for me) > > > > Q2. ldap.key.pem: Is this file simply the $FN.key file created by the > > following command ? > > Will I have trouble if I specify '-passout' ? I assume it protects the > > file $FN.key. > > How will PAM-LDAP open the keystore if I have used a password ? > It probably won't, unless you either hardcode the clear text password, > or simply have no key password. > > > > openssl req -newkey rsa:1024 -keyout ${FN}.key -out ${FN}.csr -passout > > pass:<password> 0<< EOF >/dev/null 2>&1 > > <SNIP> > > > > Q3. ldap.pem: Is this file simply the $FN.pem file created by the > > following command ? > > > > openssl ca -in ${FN}.csr -out ${FN}.pem -days 7300 -keyfile > > $DIR/demoCA/private/cakey.pem \ > > -cert $DIR/demoCA/cacert.pem \ > > -passin pass:<CA PASSWORD> << EOF2 >/dev/null 2>&1 > > <SNIP> > > > > Thanks again, cdlt, > > ----------- > > > > > > > > > > > > ------------------------------------------------------------------------ > > Create a cool, new character for your Windows Live™ Messenger. Check > > it out <http://go.microsoft.com/?linkid=9656621> > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > <hr />Internet Explorer 8 makes surfing easier. <a href='http://go.microsoft.com/?linkid=9655264' target='_new'>Get it now! </a></body> </html>