[Fedora-directory-users] rhas4 Setting up clients for ssl only?

Steven Jones Steven.Jones at vuw.ac.nz
Mon Sep 17 04:37:23 UTC 2007 

Reading through the
http://www.csse.uwa.edu.au/~ashley/fedora-ds/fedora-ds-26072006.html
document....

8><---------
3.3 Binding Linux/Unix Machines to LDAPs

First of all for your client LDAP machine to connect via LDAPs you need
to have the Certificate Authority file installed on your client which
was generated for the Directory Server to allow it to recognize that the
SSL connection is valid.
8><---------


So I have all these choices....

[root at vuwunicvfdsm001 cacerts]# cd /opt/fedora-ds/alias
[root at vuwunicvfdsm001 alias]# ls -l
total 640
-rw-r--r--  1 nobody nobody    193 Sep 14 11:31 addRSA.ldif
-rw-------  1 nobody nobody  16384 Sep 13 15:33 admin-serv-secmod.db
-rw-------  1 nobody nobody  65536 Sep 14 11:19
admin-serv-vuwunicvfdsm001-cert8.db
-rw-------  1 nobody nobody  16384 Sep 14 11:19
admin-serv-vuwunicvfdsm001-key3.db
-rw-r--r--  1 nobody nobody    619 Sep 14 11:13 cacert.asc
-rw-------  1 nobody nobody   1554 Sep 14 11:10 cacert.pfx
-rwxr-xr-x  1 nobody nobody 239744 Nov  8  2006 libnssckbi.so
-rw-r--r--  1 nobody nobody     62 Sep 14 09:44 noise.txt
-rw-------  1 nobody nobody  65536 Sep 13 15:43
orig-slapd-vuwunicvfdsm001-cert8.db
-rw-------  1 nobody nobody  16384 Sep 13 15:43
orig-slapd-vuwunicvfdsm001-key3.db
-rw-r--r--  1 nobody nobody      9 Sep 13 15:43 pwdfile.txt
-rw-------  1 nobody nobody  16384 Sep 14 13:37 secmod.db
-rw-------  1 nobody nobody   2044 Sep 14 11:11 servercert.pfx
-rw-------  1 nobody nobody  65536 Sep 14 10:29 slapd-serverID-cert8.db
-rw-------  1 nobody nobody  16384 Sep 14 10:29 slapd-serverID-key3.db
-rw-r--r--  1 nobody nobody      0 Sep 14 13:35 slapd-serverID-pin.txt
-rw-------  1 nobody nobody  65536 Sep 14 11:11
slapd-vuwunicvfdsm001-cert8.db
-rw-------  1 nobody nobody  16384 Sep 14 11:11
slapd-vuwunicvfdsm001-key3.db
-r--------  1 nobody nobody     35 Sep 14 13:36
slapd-vuwunicvfdsm001-pin.txt
-rw-r--r--  1 nobody nobody    693 Sep 14 11:23 ssl_enable.ldif


So is this the file I am meant to copy over?

-rw-r--r--  1 root root 619 Sep 17 16:27 5be5959f.0
-rw-r--r--  1 root root 619 Sep 17 16:27 cacert.asc

 [root at vuwunicvfwall02 cacerts]# ldapsearch -x -ZZ '(uid=jonesst1)'
ldap_start_tls: Connect error (-11)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
[root at vuwunicvfwall02 cacerts]# pwd
/etc/openldap/cacerts
[root at vuwunicvfwall02 cacerts]#

If so it is failing, but at least it appears it is consistant with the
Debian client which also has a -11 error....at least I think so.....

regards

Steven Jones
Senior  Linux/Unix/San/Vmware System Administrator
APG -Technology Integration Team
Victoria University of Wellington
Phone: +64 4 463 6272

-----Original Message-----
From: fedora-directory-users-bounces at redhat.com
[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Steven
Jones
Sent: Monday, 17 September 2007 3:01 p.m.
To: General discussion list for the Fedora Directory server project.
Subject: [Fedora-directory-users] rhas4 Setting up clients for ssl only?

I seem unable to get this to work in anything but simple mode.....

Here is my ldap.conf for RHAS4,

URI     ldap://ldap.vuw.ac.nz
#host 130.195.87.249
base dc=vuw,dc=ac,dc=nz
#ssl no
#ssl on
pam_password md5
#HOST 130.195.87.249
BASE dc=vuw,dc=ac,dc=nz
TLS_CACERTDIR /etc/openldap/cacerts/
TLS_REQCERT allow

Trying "ssl on" breaks ssh

So has anyone got an example ldap.conf?

Since Debian also wont ssl, it is possible the server is the issue.....

regards

Steven Jones
Senior  Linux/Unix/San/Vmware System Administrator
APG -Technology Integration Team
Victoria University of Wellington
Phone: +64 4 463 6272

-----Original Message-----
From: fedora-directory-users-bounces at redhat.com
[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Steven
Jones
Sent: Monday, 17 September 2007 10:20 a.m.
To: General discussion list for the Fedora Directory server project.
Subject: RE: [Fedora-directory-users] Setting up clients for ssl only?

8><----

Uh.....this means not a thing....where and how is it set? 

On the server? Client? Ie What and where is dse.ldif?

> Steven Jones wrote:
> Is there a way to force clients to only connect via ssl?
>   
You can set the nsslapd-port attribute in cn=config in dse.ldif to 0.

8><----

regards

Steven 

--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

More information about the Fedora-directory-users mailing list