[389-users] Help with setiting up Password Policy and SSL/TLS

Rich Megginson rmeggins at redhat.com
Thu Jan 14 19:36:05 UTC 2010 

Fulda, Paul R (IS) wrote:
>
> Hi,
>
> I am trying to configure the Password Policy for my users and read 
> that you would not be able to use the Policy unless you set up SSL/TLS.
>
> I am using 389 Server version 1.2.2. Also I am running the Server on 
> Fedora 11 64 bit. All clients are also Fedora 11 64 bit.
>
> I followed the instructions in setting up SSL here at 
> _http://directory.fedoraproject.org/wiki/Howto:SSL_
>
> I ran the setupssl2.sh script and it completed with no errors. In the 
> 389 Admin Console I could see the certificates for both the Admin 
> Server and DS Server in the
>
> Manage Certificates screens.
>
> Also, I do not want to use SSL for the Admin Server or the Admin 
> Console. I just want to be able to use it for user authentication so 
> the Password Policy works.
>
> Bottom line is that I cannot get both features (Password Policies and 
> SSL) working. Any help would be greatly appreciated.
>
> Up to this point here are my questions:
>
> 1) In the Directory Server GUI from the 389 Admin Console what 
> certificate do I use to populate the Certificate field in the 
> Encryption Tab?
>
>             There are 3 choices it provides after running the
>             sslsetup2.sh script which are CA Certificate, server-cert,
>             and server-Cert.
>
For Directory Server, use Server-Cert
For Admin Server, use server-cert
CA Certificate is the CA certificate
>
> 2) In the Client Authentication Block in the same Encryption Tab as #1 
> above, I have selected “Require client authentication”. Is this correct?
>
no
>
>             Is this how you force the Directory Server to use only
>             port 636 for secure communications?
>
no
>
>             If not, how do you do that?
>
We don't yet have a UI for that, but see the new minssf feature in 
389-ds-base-1.2.3 and later
http://directory.fedoraproject.org/wiki/Roadmap#389_Directory_Server_1.2.3_-_October_7.2C_2009
>
> 3) What are the differences between /etc/openldap/ldap.conf and 
> /etc/ldap.conf? What are the client configurations needed to make this 
> work?
>
>             The only ldap.conf file that
>             _http://directory.fedoraproject.org/wiki/Howto:SSL_ talks
>             about configuring is the /etc/openldap/ldap.conf file.
>
>             My /etc/openldap/ldap.conf file looks like this:
>
>             URI ldap://hadmina.eidev.ngc.com/
>
>             BASE dc=eidev, dc=ngc, dc=com
>
>             TLS_CACERT /etc/openldap/cacerts
>
>             TLS_REQCERT allow
>
/etc/openldap/ldap.conf is only used by the openldap command line tools 
such as ldapsearch, ldapmodify, et. al. - see man ldap.conf

/etc/ldap.conf is used by nss_ldap/pam_ldap - see man pam_ldap
>
> 4) How do you get the certificate on the client machines? What I did 
> was copy from the server the cacert.asc file that is located in 
> /etc/dirsrv/slapd-hadmina
>
>             to the client machine in /etc/openldap/cacerts directory.
>             Is this correct?
>
Yes.
>
> Thanks and I hope there is someone out there that can help me get this 
> working!
>
> Paul
>
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

More information about the 389-users mailing list