[389-users] Multiple 389 Servers for Clients Using SSSD

Chandan Kumar chandank.kumar at gmail.com
Sun Jan 6 00:44:21 UTC 2013 

Sorry for confusion, "server clients certs" means generating certs for
client. These are exact same steps from the Redhat manuals.

This works if I copy this cacert.asc file to my client machines. But how to
get clients both on two LDAP servers ? As an example, if I specify both
ldap server names say ldap01.net ldap02.net and if one goes down it will
try to get the authentication work from the secondary one.

What am I doing is, Generating the cacert.asc from one server and importing
it to the second server and copying the same cacert.asc across all the
client machines.




--
http://about.me/chandank


On Sat, Jan 5, 2013 at 4:37 PM, Orion Poplawski <orion at cora.nwra.com> wrote:

> On 01/04/2013 05:34 PM, Chandan Kumar wrote:
>
>> Hello All,
>>
>> I was wondering if anyone could help me with this setup. I have would
>> like to have 2 ldap servers specified on the clients using SSSD.
>>
>> Without TLS/Encryption (PAD NSS) it works just fine, however, the moment
>> I turn on TLS/StratTLS only one server works whereas other does not and
>> gives the "Certification Not trusted" error.
>>
>> Here what I did.
>>
>> certutil -S -n "CA certificate" -s "cn=My Org CA cert,dc=my,dc=net" -2
>> -x -t "CT,," -m 1000 -v 120 -d . -k rsa -f /tmp/pwdfile
>>
>> # Generate Directory server clients certs
>> certutil -S -n "Server-Cert" -s "cn=ldap.my.net <http://ldap.my.net>" -c
>>
>> "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -k rsa -f /tmp/pwdfile
>>
>
> Not sure what you mean by "server clients certs" here.  This is the server
> cert for this server.  I would think the subject name should just be "
> ldap.my.net", but maybe this form works too.  You also need to do this on
> your second server using its DNS name.
>
>
>  # Export it for ldap clients and other servers
>> certutil -d . -L -n "CA certificate" -a > cacert.asc
>>
>> Then I imported the same cacert.asc file to another 389 server using
>> "certutil". And copied it at the client as well.
>>
>> I would see the certificate got imported in the GUI console but due to
>> some reason everytime I query from the client to secondary server (where
>> I imported the key) it just does not work.
>>
>> Would appreciate any help. Not sure what step I am using or what am I
>> doing wrong.
>>
>
>
>
> --
> Orion Poplawski
> Technical Manager                     303-415-9701 x222
> NWRA/CoRA Division                    FAX: 303-415-9702
> 3380 Mitchell Lane                  orion at cora.nwra.com
> Boulder, CO 80301              http://www.cora.nwra.com
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.**org <389-users at lists.fedoraproject.org>
> https://admin.fedoraproject.**org/mailman/listinfo/389-users<https://admin.fedoraproject.org/mailman/listinfo/389-users>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20130105/cd3b29c8/attachment.html>

More information about the 389-users mailing list