Fulda, Paul R (IS) wrote:
Hi,
I am trying to configure the Password Policy for my users and read
that you would not be able to use the Policy unless you set up SSL/TLS.
I am using 389 Server version 1.2.2. Also I am running the Server on
Fedora 11 64 bit. All clients are also Fedora 11 64 bit.
I followed the instructions in setting up SSL here at
_http://directory.fedoraproject.org/wiki/Howto:SSL_
I ran the setupssl2.sh script and it completed with no errors. In the
389 Admin Console I could see the certificates for both the Admin
Server and DS Server in the
Manage Certificates screens.
Also, I do not want to use SSL for the Admin Server or the Admin
Console. I just want to be able to use it for user authentication so
the Password Policy works.
Bottom line is that I cannot get both features (Password Policies and
SSL) working. Any help would be greatly appreciated.
Up to this point here are my questions:
1) In the Directory Server GUI from the 389 Admin Console what
certificate do I use to populate the Certificate field in the
Encryption Tab?
There are 3 choices it provides after running the
sslsetup2.sh script which are CA Certificate, server-cert,
and server-Cert.
For Directory Server, use Server-Cert
For Admin Server, use server-cert
CA Certificate is the CA certificate
2) In the Client Authentication Block in the same Encryption Tab as #1
above, I have selected “Require client authentication”. Is this correct?
no
Is this how you force the Directory Server to use only
port 636 for secure communications?
no
If not, how do you do that?
We don't yet have a UI for that, but see the new minssf feature in
389-ds-base-1.2.3 and later
http://directory.fedoraproject.org/wiki/Roadmap#389_Directory_Server_1.2....
3) What are the differences between /etc/openldap/ldap.conf and
/etc/ldap.conf? What are the client configurations needed to make this
work?
The only ldap.conf file that
_http://directory.fedoraproject.org/wiki/Howto:SSL_ talks
about configuring is the /etc/openldap/ldap.conf file.
My /etc/openldap/ldap.conf file looks like this:
URI
ldap://hadmina.eidev.ngc.com/
BASE dc=eidev, dc=ngc, dc=com
TLS_CACERT /etc/openldap/cacerts
TLS_REQCERT allow
/etc/openldap/ldap.conf is only used by the openldap command line tools
such as ldapsearch, ldapmodify, et. al. - see man ldap.conf
/etc/ldap.conf is used by nss_ldap/pam_ldap - see man pam_ldap
4) How do you get the certificate on the client machines? What I did
was copy from the server the cacert.asc file that is located in
/etc/dirsrv/slapd-hadmina
to the client machine in /etc/openldap/cacerts directory.
Is this correct?
Yes.
Thanks and I hope there is someone out there that can help me get this
working!
Paul
------------------------------------------------------------------------
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users