<div dir="ltr">Hi Arpit,<div><br></div><div style>Thanks for your detailed steps. I followed it but got below error on the secondary ldap server on restart.</div><div style><br></div><div style>I have copied the outputs and steps I followed in the below pastebin.</div>
<div style><div style><div><br></div><div><a href="http://pastebin.com/Sd73AEpT">http://pastebin.com/Sd73AEpT</a><br></div><div><br></div><div>Looks like the the certificate was not imported properly not sure why. Everywhere I have the same key, still I get annoying problem that my client only works with only ldap server.<br>
</div><div><br></div><div>Say If I manage to make it work with ldap01 it just won't work with ldap02 and vice verse and get the annoying "not trusted" error. Same problem getting in setting up the replication over TLS. I am using SSD on client side and give below param.</div>
<div><br></div><div>ldap_uri = ldaps://<a href="http://ldap.net">ldap.net</a>, ldaps://<a href="http://ldap02.net">ldap02.net</a><br></div><div><br></div><div style><br></div><div style><br></div><div style><br></div><div style>
<br></div></div></div></div><div class="gmail_extra"><br clear="all"><div><br><div>--</div><div><a href="http://about.me/chandank" target="_blank">http://about.me/chandank</a><br></div></div>
<br><br><div class="gmail_quote">On Sun, Jan 6, 2013 at 2:24 AM, Arpit Tolani <span dir="ltr"><<a href="mailto:arpittolani@gmail.com" target="_blank">arpittolani@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hello<br>
<div class="im"><br>
On Sun, Jan 6, 2013 at 6:14 AM, Chandan Kumar <<a href="mailto:chandank.kumar@gmail.com">chandank.kumar@gmail.com</a>> wrote:<br>
> Sorry for confusion, "server clients certs" means generating certs for<br>
> client. These are exact same steps from the Redhat manuals.<br>
><br>
> This works if I copy this cacert.asc file to my client machines. But how to<br>
> get clients both on two LDAP servers ? As an example, if I specify both ldap<br>
> server names say <a href="http://ldap01.net" target="_blank">ldap01.net</a> <a href="http://ldap02.net" target="_blank">ldap02.net</a> and if one goes down it will try to<br>
> get the authentication work from the secondary one.<br>
><br>
> What am I doing is, Generating the cacert.asc from one server and importing<br>
> it to the second server and copying the same cacert.asc across all the<br>
> client machines.<br>
><br>
<br>
</div>How about creating one CA cert & signing all RHDS server from same CA,<br>
Then all you have to do is to import only one CA in clients.<br>
<br>
<br>
Create a CA Cerfificate<br>
# certutil -S -n "CA certificate" -s "cn=CA<br>
cert,dc=directory,dc=example,dc=com" -2 -x -t "CT,," -m 1000 -v 720 -d<br>
. -k rsa<br>
<br>
Make sure you say yes to "Is this a CA certificate [y/N]?" and<br>
everything else will be default.<br>
<br>
Next we create your Server Cert.<br>
Important - Make sure your cn is your FQDN of this server.<br>
<br>
<br>
Create cert for <a href="http://ldap1.example.com" target="_blank">ldap1.example.com</a> on <a href="http://ldap1.example.com" target="_blank">ldap1.example.com</a><br>
# certutil -S -n "directory-Server-Cert-1" -s "cn=<a href="http://ldap1.example.com" target="_blank">ldap1.example.com</a>"<br>
-c "CA certificate" -t "u,u,u" -m 1001 -v 720 -d . -k rsa<br>
<br>
<br>
Create cert for <a href="http://ldap2.example.com" target="_blank">ldap2.example.com</a> on <a href="http://ldap1.example.com" target="_blank">ldap1.example.com</a><br>
# certutil -S -n "directory-Server-Cert-2" -s "cn=<a href="http://ldap2.example.com" target="_blank">ldap2.example.com</a>"<br>
-c "CA certificate" -t "u,u,u" -m 1002 -v 120 -d . -k rsa<br>
<br>
Then check to make sure it looks ok<br>
# certutil -L -n "directory-Server-Cert-2" -d .<br>
<br>
Export keys & certs for <a href="http://ldap2.example.com" target="_blank">ldap2.example.com</a><br>
# pk12util -d . -o server2.p12 -n directory-Server-Cert-2<br>
# certutil -L -d . -n "CA certificate" -a > cacert.asc<br>
<br>
Copy the 'server2.p12' and 'cacert.asc' created above to the 2nd Red<br>
Hat Directory Server.<br>
<br>
Create your public ca for your clients.<br>
# certutil -d . -L -n "CA certificate" -a > my-public-ca.asc<br>
<br>
<br>
While logged in to the 2nd RHDS i.e. <a href="http://ldap2.example.com" target="_blank">ldap2.example.com</a>, run the following:<br>
<br>
# service dirsrv stop<br>
# cd /etc/disrv/slapd-INSTANCE2/<br>
# mv /path/to/server2.p12 /etc/dirsrv/slapd-INSTANCE2/<br>
# mv /path/to/cacert.asc /etc/dirsrv/slapd-INSTANCE2/<br>
# pk12util -d . -i server2.p12<br>
# certutil -A -d . -n "CA certificate" -t "CT,," -a -i cacert.asc<br>
# service dirsrv start<br>
<br>
<br>
Hope that helps.<br>
<br>
<br>
Regards<br>
<span class="HOEnZb"><font color="#888888">Arpit Tolani<br>
</font></span><div class="HOEnZb"><div class="h5">--<br>
389 users mailing list<br>
<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></div></div></blockquote></div><br></div>