[389-users] Help with setiting up Password Policy and SSL/TLS
Rich Megginson
rmeggins at redhat.com
Thu Jan 14 19:36:05 UTC 2010
Fulda, Paul R (IS) wrote:
>
> Hi,
>
> I am trying to configure the Password Policy for my users and read
> that you would not be able to use the Policy unless you set up SSL/TLS.
>
> I am using 389 Server version 1.2.2. Also I am running the Server on
> Fedora 11 64 bit. All clients are also Fedora 11 64 bit.
>
> I followed the instructions in setting up SSL here at
> _http://directory.fedoraproject.org/wiki/Howto:SSL_
>
> I ran the setupssl2.sh script and it completed with no errors. In the
> 389 Admin Console I could see the certificates for both the Admin
> Server and DS Server in the
>
> Manage Certificates screens.
>
> Also, I do not want to use SSL for the Admin Server or the Admin
> Console. I just want to be able to use it for user authentication so
> the Password Policy works.
>
> Bottom line is that I cannot get both features (Password Policies and
> SSL) working. Any help would be greatly appreciated.
>
> Up to this point here are my questions:
>
> 1) In the Directory Server GUI from the 389 Admin Console what
> certificate do I use to populate the Certificate field in the
> Encryption Tab?
>
> There are 3 choices it provides after running the
> sslsetup2.sh script which are CA Certificate, server-cert,
> and server-Cert.
>
For Directory Server, use Server-Cert
For Admin Server, use server-cert
CA Certificate is the CA certificate
>
> 2) In the Client Authentication Block in the same Encryption Tab as #1
> above, I have selected “Require client authentication”. Is this correct?
>
no
>
> Is this how you force the Directory Server to use only
> port 636 for secure communications?
>
no
>
> If not, how do you do that?
>
We don't yet have a UI for that, but see the new minssf feature in
389-ds-base-1.2.3 and later
http://directory.fedoraproject.org/wiki/Roadmap#389_Directory_Server_1.2.3_-_October_7.2C_2009
>
> 3) What are the differences between /etc/openldap/ldap.conf and
> /etc/ldap.conf? What are the client configurations needed to make this
> work?
>
> The only ldap.conf file that
> _http://directory.fedoraproject.org/wiki/Howto:SSL_ talks
> about configuring is the /etc/openldap/ldap.conf file.
>
> My /etc/openldap/ldap.conf file looks like this:
>
> URI ldap://hadmina.eidev.ngc.com/
>
> BASE dc=eidev, dc=ngc, dc=com
>
> TLS_CACERT /etc/openldap/cacerts
>
> TLS_REQCERT allow
>
/etc/openldap/ldap.conf is only used by the openldap command line tools
such as ldapsearch, ldapmodify, et. al. - see man ldap.conf
/etc/ldap.conf is used by nss_ldap/pam_ldap - see man pam_ldap
>
> 4) How do you get the certificate on the client machines? What I did
> was copy from the server the cacert.asc file that is located in
> /etc/dirsrv/slapd-hadmina
>
> to the client machine in /etc/openldap/cacerts directory.
> Is this correct?
>
Yes.
>
> Thanks and I hope there is someone out there that can help me get this
> working!
>
> Paul
>
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
More information about the 389-users
mailing list