[389-users] OS to authenticate to DS using TLS
John A. Sullivan III
jsullivan at opensourcedevel.com
Wed Jun 17 14:58:38 UTC 2009
I was able to dig out that portion of the plan from our internal docs:
We need to import the CA cert into the database of the
centos-idm-console user, i.e., the user running the GUI. In their home
directory is a .centos-idm-console. Enter that directory and issue the
following command (assuming it is running on the same computer as the
admin-server - otherwise change the CA cert source appropriately):
certutil -A -d . -n "CA certificate" -t "CT,," -a
-i /etc/dirsrv/admin-serv/CA.pem
Close the centos-idm-console if it is still running. Reopen it but be
sure to change the login Administration url to
https://ldap1.mycompany.com:9830 rather than http.
On Wed, 2009-06-17 at 10:46 -0400, John A. Sullivan III wrote:
> I believe we encountered this problem, too, and found we needed to
> import the CA cert into the nss database for the user running
> centos-idm-console. The details are in that long, long, post - John
>
> On Wed, 2009-06-17 at 09:12 -0500, Doug Coats wrote:
> > Thanks Dave - that worked.
> >
> > I am still some problem with the certificates though.
> >
> > If it I try this in the directory where the certificates are:
> >
> > openssl s_client -connect localhost:636 -CAfile filename
> >
> > I get a listing of the certificates without errors.
> >
> > If I try:
> >
> > ldapsearch -H ldaps://localhost:636
> >
> > ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
> > additional info: error:14090086:SSL
> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> > If I start the console using:
> >
> > centos-idm-console -a https://127.0.0.1:9830
> >
> > I have to "Accept" the certificate each time.
> >
> > It looks like there may be some problem with the certificate or some
> > setting in DS that still needs to be switched on.
> >
> > What do you think?
> >
> > Thanks again for all of your help!
> >
> >
> > On Wed, Jun 17, 2009 at 7:58 AM, David (Dave) Donnan
> > <david.donnan at thalesgroup.com> wrote:
> > Hello. I think I understand the problem.
> >
> > I copied the CA cert locally to /tmp/CAcert.txt
> >
> > I then ran 'system-config-authentication' and used a URL like
> > the following (where it says 'Download CA Certificate'):
> >
> > file:///tmp/CAcert.txt
> >
> > It's a lazy man's approach but it worked.
> >
> > Cdlt, Dave
> > --------
> >
> >
> >
> > And John A. Sullivan III wrote:
> > > On Tue, 2009-06-16 at 19:25 -0500, Doug Coats wrote:
> > >
> > > > So my next hurdle I am tackling SSL certificates. I produced
> > > > self-signed certificates and have installed them in through the
> > > > Management Console. I can run the Management Console using a secure
> > > > connection.
> > > >
> > > > Linux uses DS to authenticate (configured using System >
> > > > Administration > Authentication and enableing LDAP support). If I try
> > > > to "Use TLS to encrypt connection" I can't program a URL that will let
> > > > me download the CA Certificate successfully. I hope that all made
> > > > sence.
> > > >
> > > > Am I missing something? Do I need this?
> > > >
> > > <snip>
> > >
> > > Sorry, I don't quite follow. I know it was a difficult to follow post
> > > but I did post how we set up SSL communications including the client
> > > side setup. We simply copied the CA cert to the clients (servers using
> > > LDAP for authentication) via scp - John
> > >
> >
> >
> >
> > --
> > 389 users mailing list
> > 389-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> >
> > --
> > 389 users mailing list
> > 389-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
More information about the 389-users
mailing list