[Fedora-directory-users] Issues with SSL/Admin console
by Brian Kosick
Hi All,
I have a quick question. I had SSL all setup and running on both the
admin server, and the directory server. My manager wanted it setup on
his windows box, so I followed the WindowsConsole HOWTO, and kept
getting stuck in the Mozilla libs not being able to make the SSL socket
connection, returning with class not found. I disabled SSL on the
admin server and was able to connect to that, and then disabled SSL on
the directory server, but couldn't get it to work. Now on my linux
admin console, which worked beautifully before, It keeps trying to
connect to port 636, rather than 389.
I have tried re-enabling SSL in the directory server by following the
SSL Howto, but I keep getting
ldapadd -f /tmp/ssl_enable.ldif -xv -D "cn=Directory Manager" -h
qapxe.corp.mxlogic.com -w <snip>
ldap_initialize( ldap://qapxe.corp.mxlogic.com )
ldapadd: invalid format (line 8) entry: "cn=encryption,cn=config"
Based on a list thread that I found, I removed all the newlines in
cipher list and still have the same issue.
Here's my enable_ssl.ldif
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on
-
replace: nsSSLClientAuth
nsSSLClientAuth: allowed
-
add: nsSSL3Ciphers
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,
+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,
+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,
+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
-
add: nsKeyfile
nsKeyfile: alias/slapd-qapxe-key3.db
-
add: nsCertfile
nsCertfile: alias/slapd-qapxe-cert8.db
dn: cn=config
changetype: modify
add: nsslapd-security
nsslapd-security: on
-
replace: nsslapd-ssl-check-hostname
nsslapd-ssl-check-hostname: off
My question is how do I either get the admin console to try to connect
via 389, rather than 636, or get SSL re-enabled on the directory server.
Thanks in advance
Brian
18 years, 6 months
[Fedora-directory-users] About the password sync feature
by Thierry Lanfranchi
Hello there,
I'm in the process of installing a new LDAP directory using FDS, and am
willing to synchronize the password modifications between AD domains and
the corresponding users in the LDAP directory. These users are not
synchronized, but the ntUserDomain attribute is set to the corresponding
AD account.
After reading the RH admin guide, I still have a few questions, which are :
1_ Can the Password Sync feature be implemented without having to
implement synchronization of the accounts between AD and FDS ?
2_ When you have multiple AD servers per domain, and multiple AD
domains, how many copies of the PassSync service do you need to install
? Can the service be installed on only one server per domain, or do I
need to install it on every server ? (I'm no AD guru, so I'm not sure
how and when the password is definitly encoded on AD).
Thanks in advance for your answers,
Regards,
Thierry
18 years, 6 months