I'm trying to set up two 389 Directory Services servers in a replication scenario. I
can do this quite easily without any SSL/TLS setup.
In an effort to improve the security of our environment, I would like to get TLS
configured so that this replication (and all LDAP authentication attempts) are encrypted.
Using the scripts provided at
http://directory.fedoraproject.org/wiki/Howto:SSL I can get
one server using SSL; however when I try and establish the cross-server communication, the
SSL/TLS keys appear to fall apart.
My understanding from the logs on the systems is that the reason why the two servers
(FDSMEM1 and FDSMEM2) do not have a common CA and so their server-certs do not trust each
other.
So, I have set up TinyCA and created a CA cert from a third server. I have generated
manual cert requests on the two LDAP servers (after registering the CA cert) and generated
the certificates. Replication appears to be working through TLS.
Now, the problem I am having.
When I run the 'certutil -L -d . -n "CA certificate" -a > cacert.asc'
command I get a cacert.asc. When I deploy this cacert.asc to my LDAP clients as the key
for TLS to start, though, it appears that something isn't handshaking well and I am
never able to query the LDAP server from a client.
Has anyone gotten a 389DS system (or pair of systems) fully working with certs managed
& created by TinyCA2? If so, what are the gotchas that I must be missing to get this
working? Would anyone be willing to help me write a HOWTO on getting this working so that
it would be outlined more effectively for newer users?
Thanks.
--
Jeff Moody
Senior Systems Engineer
Electronic Vaulting Services
5050 Poplar Ave., Suite 1600
Memphis, TN 38157
(901) 259-2387 - 24x7 Helpdesk
(901) 213-5146 - Office
(901) 497-1444 - Mobile