[389-users] Multiple 389 Servers for Clients Using SSSD

Arpit Tolani arpittolani at gmail.com
Sun Jan 6 10:24:34 UTC 2013 

Hello

On Sun, Jan 6, 2013 at 6:14 AM, Chandan Kumar <chandank.kumar at gmail.com> wrote:
> Sorry for confusion, "server clients certs" means generating certs for
> client. These are exact same steps from the Redhat manuals.
>
> This works if I copy this cacert.asc file to my client machines. But how to
> get clients both on two LDAP servers ? As an example, if I specify both ldap
> server names say ldap01.net ldap02.net and if one goes down it will try to
> get the authentication work from the secondary one.
>
> What am I doing is, Generating the cacert.asc from one server and importing
> it to the second server and copying the same cacert.asc across all the
> client machines.
>

How about creating one CA cert & signing all RHDS server from same CA,
Then all you have to do is to import only one CA in clients.


Create a CA Cerfificate
# certutil -S -n "CA certificate" -s "cn=CA
cert,dc=directory,dc=example,dc=com" -2 -x -t "CT,," -m 1000 -v 720 -d
. -k rsa

Make sure you say yes to "Is this a CA certificate [y/N]?" and
everything else will be default.

Next we create your Server Cert.
Important - Make sure your cn is your FQDN of this server.


Create cert for ldap1.example.com on ldap1.example.com
# certutil -S -n "directory-Server-Cert-1" -s "cn=ldap1.example.com"
-c "CA certificate" -t "u,u,u" -m 1001 -v 720 -d . -k rsa


Create cert for ldap2.example.com on ldap1.example.com
# certutil -S -n "directory-Server-Cert-2" -s "cn=ldap2.example.com"
-c "CA certificate" -t "u,u,u" -m 1002 -v 120 -d . -k rsa

Then check to make sure it looks ok
# certutil -L -n "directory-Server-Cert-2" -d .

Export keys & certs for ldap2.example.com
# pk12util -d . -o server2.p12 -n directory-Server-Cert-2
# certutil -L -d . -n "CA certificate" -a > cacert.asc

Copy the 'server2.p12' and 'cacert.asc' created above to the 2nd Red
Hat Directory Server.

Create your public ca for your clients.
# certutil -d . -L -n "CA certificate" -a  > my-public-ca.asc


While logged in to the 2nd RHDS i.e. ldap2.example.com, run the following:

# service dirsrv stop
# cd /etc/disrv/slapd-INSTANCE2/
# mv /path/to/server2.p12 /etc/dirsrv/slapd-INSTANCE2/
# mv /path/to/cacert.asc /etc/dirsrv/slapd-INSTANCE2/
# pk12util -d . -i server2.p12
# certutil -A -d . -n "CA certificate" -t "CT,," -a -i cacert.asc
# service dirsrv start


Hope that helps.


Regards
Arpit Tolani

More information about the 389-users mailing list