[389-users] PAM-LDAP LDAPS (Linux Login) with PAM-LDAP using a client certificate
Rich Megginson
rmeggins at redhat.com
Tue May 12 15:31:16 UTC 2009
lambam80 at hotmail.com wrote:
> Hello everybody and, firstly, thanks for your continued support.
>
> I hope I've used the correct expression/jargon, ie:PAM-LDAP ?
>
> PAM-LDAP works with LDAPS and binding with cn=Directory
> Manager/password hardcoded in /etc/ldap.conf - great stuff.
Except for the fact that you have the directory manager clear text
password hardcoded in ldap.conf :-(
> This was configured using the GUI
> '/usr/sbin/system-config-authentication' - also great stuff !
>
> Symbolic Link pointing to the CA certificate: Q1. I've searched the
> web but cannot find what purpose the symbolic link serves.
> ----------------------------------------
>
> # ls -toalr /etc/openldap/cacerts
> -rw-r--r-- 1 root 1464 2009-03-10 12:21 authconfig_downloaded.pem
> lrwxrwxrwx 1 root 25 2009-03-10 12:21 123a856c.0 ->
> authconfig_downloaded.pem
>
>
> Client Certificate etc.
> --------------------------
> I'm now experimenting with client certificates and have found the
> following link:
>
> http://lists.fini.net/pipermail/ldap-interop/2005-April/000421.html
>
> and see the following example lines for the file /etc/ldap.conf:
> tls_cert /usr/share/ssl/certs/ldap.pem ($FN.pem in my case)
> tls_key /usr/share/ssl/certs/ldap.key.pem ($FN.key for me)
>
> Q2. ldap.key.pem: Is this file simply the $FN.key file created by the
> following command ?
> Will I have trouble if I specify '-passout' ? I assume it protects the
> file $FN.key.
> How will PAM-LDAP open the keystore if I have used a password ?
It probably won't, unless you either hardcode the clear text password,
or simply have no key password.
>
> openssl req -newkey rsa:1024 -keyout ${FN}.key -out ${FN}.csr -passout
> pass:<password> 0<< EOF >/dev/null 2>&1
> <SNIP>
>
> Q3. ldap.pem: Is this file simply the $FN.pem file created by the
> following command ?
>
> openssl ca -in ${FN}.csr -out ${FN}.pem -days 7300 -keyfile
> $DIR/demoCA/private/cakey.pem \
> -cert $DIR/demoCA/cacert.pem \
> -passin pass:<CA PASSWORD> << EOF2 >/dev/null 2>&1
> <SNIP>
>
> Thanks again, cdlt,
> -----------
>
>
>
>
>
> ------------------------------------------------------------------------
> Create a cool, new character for your Windows Live™ Messenger. Check
> it out <http://go.microsoft.com/?linkid=9656621>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20090512/95fc1ecb/attachment.bin>
More information about the Fedora-directory-users
mailing list