[Fedora-directory-users] (no subject)

Fri Dec 5 19:44:59 UTC 2008

Hello again, Thanks for the reply. 
My Solaris 10 and 8 clients are working against SSL now, thanks!
For my Linx clients clients I am trying to follow the FDS wiki: How
to:SSL.

I am having a problem importing the root CA certificate on my Fedora
boxes. 
The Howto SSL link says to run this command to import the cacert.asc
file.

"cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noot -hash -in
cacert.asc`.0"

However that responds with the below error. Anybody familiar with this
error?
Also I see Fedora has the certutil utility, can I use this to import the
ca root certificate like I did for the Solaris clients?

'Error opening Certificate cacert.asc
2312:error:02001002:system library:fopen:No such file or
directory:bss_file.c:352:fopen('cacert.asc','r')
2312:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:

Many Thanks
James

-----Original Message-----
From: fedora-directory-users-bounces at redhat.com
[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of George
Holbert
Sent: Friday, December 05, 2008 12:03 AM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Create client SSL certificates
forSolaris boxes.

James Chavez wrote:
> George,
> Thank you much for the help with this. I read up on the links you sent

> and they seem to have helped. I have been struggling with a Solaris 8 
> box for the past few hours. It would not work at first, I was getting 
> an end of file error in the access log. Then it just started working 
> after I restarted the client services a few times and readded the box 
> using the same profile.
>
> I have another question in regards to SSL for replication.
> I had MMR going between two servers, this one and another prior to 
> enabling SSL on this server. I removed all the replication agreements 
> because as I understand it they need to be recreated with SSL. I would

> appreciate the lists opinions on the following. The Admin guide states

> that there are 2 ways of replicating over SSL, I pasted them below. I 
> would like to know the pros and cons of each and if a DNS PTR record 
> is an absolute necessity on each MMR member.
>   

The end result with both SSL replication flavors is the same.
Both encrypt the replication traffic between your directory servers.
The client cert method, when properly implemented, will make life more
challenging for a prospective attacker who would like to impersonate
your replication manager identity.  In that sense, it is more secure
than simple auth with SSL.

CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited.  If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.