[389-users] How to export CA certificate into client from server
Grzegorz Dwornicki
gd1100 at gmail.com
Sat Jul 28 11:21:35 UTC 2012
To make system aware of users in 389 you need to configure other files:
/etc/ldap.conf (el5 systems) or /etc/nss_ldap.conf (el6 systems) +
/etc/nsswitch.conf + PAM modules (/etc/pam.d/system-auth + install pam_ldap
module). On RHEL/Fedora/Centos/SL you can do this easy way using
authconfig, authconfig-tui or system-config-authentication. I don't
recommend messing manually with PAM without reading some docs about them,
because you can break login in your system.
Consider using one three tools I have toold about. They can modify all
required files. You may be required to install nss-pam-ldapd package on el6
systems for PAM to work, this will install nslcd daemon too as dependency.
I usually set FORLEGACY to yes in /etc/systemconfig/authconfig on el6
systems
2012/7/28 fosiul alam <expertalert at gmail.com>
> Hi
> Dont know how to reply on same thread.
>
> but thank for quick reply.
>
> its case sensitive. so I created the cert file
> and i put that one into client , and i configured as documentated
>
> /etc/openldap/ldap.conf
>
> URI ldap://ldap-2.fosiul.lan/
> BASE dc=fosiul,dc=lan
> TLS_CACERTDIR /etc/openldap/cacerts/
> TLS_REQCERT allow
> #TLS_CACERT /etc/openldap/cacerts/cacert.asc
>
>
> and in /etc/ldap.conf
> base dc=fosiul,dc=lan
> uri ldap://ldap-2.fosiul.lan/
> ssl start_tls
> tls_cacertdir /etc/openldap/cacerts/
>
> #TLS_CACERT /etc/openldap/cacerts/cacert.asc
> pam_password md5
>
>
>
> and i can see it created another file in /etc/openldap/cacerts/ directory
> like ths
> 5be5959f.0 ds-ca.crt
>
> and when i do like this
>
> id usrname
>
> it does not find the user and i dont see any error in /var/log/message
>
> so its like its connecting to ldap. .but it does not get any information
>
> do i have to say Cn="Directory Manager" some where in ldap.conf file ??
>
> thanks for your help.
>
> Fosiul
>
> but in clients , log file
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120728/b0c7aa48/attachment.html>
More information about the 389-users
mailing list