<div dir="ltr">Sorry for confusion, "server clients certs" means generating certs for client. These are exact same steps from the Redhat manuals. <div><br></div><div>This works if I copy this cacert.asc file to my client machines. But how to get clients both on two LDAP servers ? As an example, if I specify both ldap server names say <a href="http://ldap01.net">ldap01.net</a> <a href="http://ldap02.net">ldap02.net</a> and if one goes down it will try to get the authentication work from the secondary one.</div>
<div><br></div><div>What am I doing is, Generating the cacert.asc from one server and importing it to the second server and copying the same cacert.asc across all the client machines.</div><div><br></div><div><br></div></div>
<div class="gmail_extra"><br clear="all"><div><br><div>--</div><div><a href="http://about.me/chandank" target="_blank">http://about.me/chandank</a><br></div></div>
<br><br><div class="gmail_quote">On Sat, Jan 5, 2013 at 4:37 PM, Orion Poplawski <span dir="ltr"><<a href="mailto:orion@cora.nwra.com" target="_blank">orion@cora.nwra.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On 01/04/2013 05:34 PM, Chandan Kumar wrote:<br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">
Hello All,<br>
<br>
I was wondering if anyone could help me with this setup. I have would<br>
like to have 2 ldap servers specified on the clients using SSSD.<br>
<br>
Without TLS/Encryption (PAD NSS) it works just fine, however, the moment<br>
I turn on TLS/StratTLS only one server works whereas other does not and<br>
gives the "Certification Not trusted" error.<br>
<br>
Here what I did.<br>
<br>
certutil -S -n "CA certificate" -s "cn=My Org CA cert,dc=my,dc=net" -2<br>
-x -t "CT,," -m 1000 -v 120 -d . -k rsa -f /tmp/pwdfile<br>
<br>
# Generate Directory server clients certs<br></div>
certutil -S -n "Server-Cert" -s "cn=<a href="http://ldap.my.net" target="_blank">ldap.my.net</a> <<a href="http://ldap.my.net" target="_blank">http://ldap.my.net</a>>" -c<div class="im"><br>
"CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -k rsa -f /tmp/pwdfile<br>
</div></blockquote>
<br>
Not sure what you mean by "server clients certs" here. This is the server cert for this server. I would think the subject name should just be "<a href="http://ldap.my.net" target="_blank">ldap.my.net</a>", but maybe this form works too. You also need to do this on your second server using its DNS name.<div class="HOEnZb">
<div class="h5"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
# Export it for ldap clients and other servers<br>
certutil -d . -L -n "CA certificate" -a > cacert.asc<br>
<br>
Then I imported the same cacert.asc file to another 389 server using<br>
"certutil". And copied it at the client as well.<br>
<br>
I would see the certificate got imported in the GUI console but due to<br>
some reason everytime I query from the client to secondary server (where<br>
I imported the key) it just does not work.<br>
<br>
Would appreciate any help. Not sure what step I am using or what am I<br>
doing wrong.<br>
</blockquote>
<br>
<br>
<br></div></div><span class="HOEnZb"><font color="#888888">
-- <br>
Orion Poplawski<br>
Technical Manager <a href="tel:303-415-9701%20x222" value="+13034159701" target="_blank">303-415-9701 x222</a><br>
NWRA/CoRA Division FAX: <a href="tel:303-415-9702" value="+13034159702" target="_blank">303-415-9702</a><br>
3380 Mitchell Lane <a href="mailto:orion@cora.nwra.com" target="_blank">orion@cora.nwra.com</a><br>
Boulder, CO 80301 <a href="http://www.cora.nwra.com" target="_blank">http://www.cora.nwra.com</a><br>
--<br>
389 users mailing list<br>
<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.<u></u>org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.<u></u>org/mailman/listinfo/389-users</a></font></span></blockquote></div><br></div>