[389-users] How to export CA certificate into client from server

Arpit Tolani arpittolani at gmail.com
Sat Jul 28 11:07:37 UTC 2012 

On Sat, Jul 28, 2012 at 4:25 PM, fosiul alam <expertalert at gmail.com> wrote:

> Hi
> Dont know how to reply on same thread.
>

Just click on reply & leave the subject of mail un-touched


>
> but thank for  quick reply.
>
> its case sensitive. so I created the cert file
> and i put that one into client , and i configured as documentated
>
> /etc/openldap/ldap.conf
>
> URI ldap://ldap-2.fosiul.lan/
> BASE dc=fosiul,dc=lan
> TLS_CACERTDIR /etc/openldap/cacerts/
> TLS_REQCERT allow
> #TLS_CACERT /etc/openldap/cacerts/cacert.asc
>
>
> and in /etc/ldap.conf
> base dc=fosiul,dc=lan
> uri ldap://ldap-2.fosiul.lan/
> ssl start_tls
> tls_cacertdir /etc/openldap/cacerts/
>
> #TLS_CACERT /etc/openldap/cacerts/cacert.asc
> pam_password md5
>
>
You should use pam_password clear because Your password is being hashed by
your client system before it is sent to the Directory Server.  This is not
allowed since the server would have no way to enforce it's password policy
against a pre-hashed password.  You need to configure /etc/ldap.conf to
send the clear text password to the LDAP server.  You should use SSL/TLS to
protect the password in transit (which you already have).


>
>
> and i can see it created another file in /etc/openldap/cacerts/ directory
> like ths
> 5be5959f.0     ds-ca.crt
>
> and when i do like this
>
> id usrname
>
> it does not find the user and i dont see any error in /var/log/message
>
> so its like its connecting to ldap. .but it does not get any information
>
> do i have to say Cn="Directory Manager" some where in ldap.conf file ??
>
> thanks for your help.
>
> Fosiul
>
> but in clients , log file
>
>
Copy the my-public-ca.asc file in /etc/openldap/cacerts
# cp my-public-ca.asc /etc/openldap/cacerts
# cacertdir_rehash /etc/openldap/cacerts

This will create file like below. (Check for the soft link file ending with
.0)

[root at atolani cacerts]# ll
total 4
lrwxrwxrwx. 1 root root  16 Apr 24 11:16 2c47a1a7.0 -> my-public-ca.asc
-rw-r--r--. 1 root root 851 Apr  9 01:13 my-public-ca.asc

Now try to run ldapsearch using -ZZ (for start_tls) Make sure you give the
exact hostname which you used while creating the cert in this step.
"certutil -S -n "server-cert" -s "cn=directory.example.com""

Something like this.

ldapsearch -x -ZZ -D "cn=Directory manager" -w password -h
directory.example.com -b "dc=example,dc=com"

If this works, Then your TLS is working. Now try to configure pam_ldap with
tls.

Regards
Arpit Tolani
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120728/0fcf6389/attachment.html>

More information about the 389-users mailing list