[389-users] Part 2: PAM-LDAP LDAPS (Linux Login) with PAM-LDAP using a client certificate

lambam80 at hotmail.com lambam80 at hotmail.com
Tue May 12 14:20:45 UTC 2009 

Further information for Q2: It looks like  '-passout pass:<password>' is mandatory, regardless:

 

+ openssl req -newkey rsa:1024 -keyout /root/tools/ssl/misc/output/X9999990.key -out /root/tools/ssl/misc/output/X9999990.csr -days 7300
<SNIP>


Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

...

 

Like I say, any help would be greatly appreciated !

 

Cdlt, 

---------
 


From: lambam80 at hotmail.com
To: fedora-directory-users at redhat.com; lambam80 at hotmail.com
Subject: PAM-LDAP LDAPS (Linux Login) with PAM-LDAP using a client certificate
Date: Tue, 12 May 2009 07:56:52 -0400



Hello everybody and, firstly, thanks for your continued support.
 
I hope I've used the correct expression/jargon, ie:PAM-LDAP ?
 
PAM-LDAP works with LDAPS and binding with cn=Directory Manager/password hardcoded in /etc/ldap.conf - great stuff.
This was configured using the GUI '/usr/sbin/system-config-authentication' - also great stuff !
 
Symbolic Link pointing to the CA certificate: Q1. I've searched the web but cannot find what purpose the symbolic link serves.
----------------------------------------
 
# ls -toalr /etc/openldap/cacerts
-rw-r--r-- 1 root 1464 2009-03-10 12:21 authconfig_downloaded.pem
lrwxrwxrwx 1 root   25 2009-03-10 12:21 123a856c.0 -> authconfig_downloaded.pem
 
 
Client Certificate etc.
--------------------------
I'm now experimenting with client certificates and have found the following link:
 
http://lists.fini.net/pipermail/ldap-interop/2005-April/000421.html
 
and see the following example lines for the file /etc/ldap.conf:
tls_cert   /usr/share/ssl/certs/ldap.pem ($FN.pem in my case)
tls_key    /usr/share/ssl/certs/ldap.key.pem ($FN.key for me)
 
Q2. ldap.key.pem: Is this file simply the $FN.key file created by the following command ?
Will I have trouble if I specify '-passout' ? I assume it protects the file $FN.key.
How will PAM-LDAP open the keystore if I have used a password ?
 
openssl req -newkey rsa:1024 -keyout ${FN}.key -out ${FN}.csr -passout pass:<password> 0<< EOF >/dev/null 2>&1
<SNIP>
 
Q3. ldap.pem: Is this file simply the $FN.pem file created by the following command ?
 
openssl ca -in ${FN}.csr -out ${FN}.pem -days 7300 -keyfile $DIR/demoCA/private/cakey.pem \
        -cert $DIR/demoCA/cacert.pem \
        -passin pass:<CA PASSWORD> << EOF2 >/dev/null 2>&1
<SNIP>
 
Thanks again, cdlt, 
-----------
 
 

 



Create a cool, new character for your Windows Live™ Messenger. Check it out
_________________________________________________________________
Windows Live helps you keep up with all your friends, in one place.
http://go.microsoft.com/?linkid=9660826
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20090512/9fb93928/attachment.htm>

More information about the Fedora-directory-users mailing list