[389-users] LDAPS configuration/installation
Chun Tat David Chu
beyonddc.storage at gmail.com
Tue Mar 6 21:41:51 UTC 2012
The cheat sheet is here http://directory.fedoraproject.org/wiki/Howto:SSL
You just need to read it first and then give it a try. I followed this
instruction couple years ago.
- dc
2012/3/5 Arpit Tolani <arpittolani at gmail.com>
> Hie
>
> 2012/3/5 Gilbert Martin <gilbert.martin at gmail.com>
>
>> Hi All,
>>
>> I've been trying to get SSL working with my LDAP server, but haven't had
>> success. I'm currently implementing a new test environment. Does anyone
>> have some quick and dirty instruction on setting up a CA and SSL certs for
>> my directory server and clients?
>>
>>
>> From my cheat sheet
>
> The first thing we need to do is create a new key store.
>
> # cd /etc/dirsrv/slapd-directory/
> # mv cert8.db key3.db secmod.db /root/
> # certutil -N -d .
>
> Then we create your CA.
>
> # certutil -S -n "CA certificate" -s "cn=CA
> cert,dc=directory,dc=example,dc=com" -2 -x -t "CT,," -m 1000 -v 720 -d . -k
> rsa
>
> Make sure you say yes to "Is this a CA certificate [y/N]?" and everything
> else will be default.
>
> Next we create your server cert. Make sure your cn is your FQDN of this
> server.
>
> # certutil -S -n "directory-Server-Cert" -s "cn=directory.example.com" -c
> "CA certificate" -t "u,u,u" -m 1001 -v 720 -d . -k rsa
>
> Then check to make sure it looks ok
>
> certutil -L -d /etc/dirsrv/slapd-directory/
>
> Create your public ca for your clients.
>
> # certutil -d . -L -n "CA certificate" -a > my-public-ca.asc
>
> In your /etc/dirsrv/slapd-directory/dse.ldif make your nsSSLPersonalitySSL
> look like the following.
>
> nsSSLPersonalitySSL: directory-Server-Cert
>
> That should be it. You have to restart the directory server after above
> steps.
>
> After this configure Directory Server to use SSL.
>
> Set the secure port for the server to use for TLS/SSL communications. In
> the Configuration area, select the Settings tab, and enter the value in the
> Encrypted Port field.
>
> - The encrypted port number must not be the same port number used for
> normal LDAP communications. By default, the standard port number is 389,
> and the secure port is 636.
>
> - Select the Configuration tab, and then select the top entry in the
> navigation tree in the left pane. Select the Encryption tab in the right
> pane.
>
> - Select the Enable SSL for this Server checkbox.
>
> - Check the Use this Cipher Family checkbox.
>
> - Select the certificate to use from the drop-down menu.
>
>
>
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>
>
>
> --
> Regards
> Arpit Tolani
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120306/8eee878b/attachment.html>
More information about the 389-users
mailing list