[389-users] 389-ds + CentOS 6.2 + TLS (self-signed, setupssl2.sh-script) + 389-console : complete FAIL. Would appreciate help.

upen upendra.gandhi at gmail.com
Fri Sep 28 03:27:23 UTC 2012 

Hi Raimund Eimann,

Am 09.07.2012 13:27, schrieb Ray:
> Hi Alberto,
>
> I got it working, logical, actually:
>
> When you start out the way I did, i.e. fresh installation, then
> running setup-ds-admin.pl, then setupssl2.sh both services (dirsrv
> and
> dirsrv-admin) will be restarable cleanly, i.e. they do actually run
> (see details below in my initial posting).
>
> When you then run 389-console, all you need to make sure is
>
>   1) use the fqdn you configured in /etc/hosts and setup-ds-admin.pl
> in the URI.
>   2) change from http to https in the URI string.
>
> Please try that out. It works now for me. You should be able to log
> into 389-console and populate you directory at this point.
>
> The next confusing thing (for the client side) that noone tells you
> (because it's sooo obvious?! - I don't think so…) is that there are
> two ldap.conf files to take care of:
>
>   1) /etc/openldap/ldap.conf (this one is for the openldap-clients
> [ldapsearch et al.]
>   2) /etc/pam_ldap.conf (this one takes care of the actual OS
> user/group resolution
>
> Here are mine:
>
> /etc/openldap/ldap.conf:
>
>     URI ldap://ldap.baar.intra.bbcomputing.org/
>     BASE dc=bbcomputing,dc=org
>     TLS_CACERTDIR /etc/openldap/cacerts
>     TLS_REQCERT allow
>
>
>
>
> /etc/pam_ldap.conf:
>
>     base dc=bbcomputing,dc=org
>     uri ldaps://ldap.baar.intra.bbcomputing.org/
>     ssl start_tls
>     tls_cacertdir /etc/openldap/cacerts
>     pam_password md5
>
>
> Now, in both configs you see the tls_cacertdir parameter.
>
>     1) Make sure you have that directory.
>     2) After you ran setupssl.sh, you should find a certificate in
> /etc/dirsrv/slapd-<server identifier you chose in
> setup-ds-admin.pl>/cacert.asc. Copy this certificate: cp
> /etc/dirsrv/slapd-<server identifier you chose in
> setup-ds-admin.pl>/cacert.asc
> /etc/openldap/cacerts/cacert_389_ldap.pem
>
>     This is not enough. The clients will only pick up certs with
> hashed filenames, so (not very prominent information in the docs
> also):
>
>     3) cd /etc/openldap/cacerts/
>     4) ln -s cacert_389_ldap.pem `openssl x509 -in
> cacert_389_ldap.pem -noout -hash`.0
>
> You'll need to repeat that on each and every client you plan to use.
>
> After all this things should work. You can try
>
> id <username from your directory>
>
> And see whta comes back. Alternatively you can try
>
> "getent passwd" to see all users you configures in your directory, or
> "getent group" for the groups
>
> ldapsearch -x -ZZ -h <fqdn of your ldap machine> should also work and
> return all entries as ldifs.
>
> Let me know how the things are going

I recently had same trouble with setupssl2.sh on RHEL 5.8 box with
389-console. Your post has been really useful to me. Everything you
have mentioned in the last two posts in this topic have worked
successfully for me. Thanks so much!

389-ds rocks as well as 389-console too :)

Aero

More information about the 389-users mailing list