[389-users] Multiple 389 Servers for Clients Using SSSD
Chandan Kumar
chandank.kumar at gmail.com
Tue Jan 15 23:51:37 UTC 2013
Hi Arpit,
Thanks for your detailed steps. I followed it but got below error on the
secondary ldap server on restart.
I have copied the outputs and steps I followed in the below pastebin.
http://pastebin.com/Sd73AEpT
Looks like the the certificate was not imported properly not sure why.
Everywhere I have the same key, still I get annoying problem that my client
only works with only ldap server.
Say If I manage to make it work with ldap01 it just won't work with ldap02
and vice verse and get the annoying "not trusted" error. Same problem
getting in setting up the replication over TLS. I am using SSD on client
side and give below param.
ldap_uri = ldaps://ldap.net, ldaps://ldap02.net
--
http://about.me/chandank
On Sun, Jan 6, 2013 at 2:24 AM, Arpit Tolani <arpittolani at gmail.com> wrote:
> Hello
>
> On Sun, Jan 6, 2013 at 6:14 AM, Chandan Kumar <chandank.kumar at gmail.com>
> wrote:
> > Sorry for confusion, "server clients certs" means generating certs for
> > client. These are exact same steps from the Redhat manuals.
> >
> > This works if I copy this cacert.asc file to my client machines. But how
> to
> > get clients both on two LDAP servers ? As an example, if I specify both
> ldap
> > server names say ldap01.net ldap02.net and if one goes down it will try
> to
> > get the authentication work from the secondary one.
> >
> > What am I doing is, Generating the cacert.asc from one server and
> importing
> > it to the second server and copying the same cacert.asc across all the
> > client machines.
> >
>
> How about creating one CA cert & signing all RHDS server from same CA,
> Then all you have to do is to import only one CA in clients.
>
>
> Create a CA Cerfificate
> # certutil -S -n "CA certificate" -s "cn=CA
> cert,dc=directory,dc=example,dc=com" -2 -x -t "CT,," -m 1000 -v 720 -d
> . -k rsa
>
> Make sure you say yes to "Is this a CA certificate [y/N]?" and
> everything else will be default.
>
> Next we create your Server Cert.
> Important - Make sure your cn is your FQDN of this server.
>
>
> Create cert for ldap1.example.com on ldap1.example.com
> # certutil -S -n "directory-Server-Cert-1" -s "cn=ldap1.example.com"
> -c "CA certificate" -t "u,u,u" -m 1001 -v 720 -d . -k rsa
>
>
> Create cert for ldap2.example.com on ldap1.example.com
> # certutil -S -n "directory-Server-Cert-2" -s "cn=ldap2.example.com"
> -c "CA certificate" -t "u,u,u" -m 1002 -v 120 -d . -k rsa
>
> Then check to make sure it looks ok
> # certutil -L -n "directory-Server-Cert-2" -d .
>
> Export keys & certs for ldap2.example.com
> # pk12util -d . -o server2.p12 -n directory-Server-Cert-2
> # certutil -L -d . -n "CA certificate" -a > cacert.asc
>
> Copy the 'server2.p12' and 'cacert.asc' created above to the 2nd Red
> Hat Directory Server.
>
> Create your public ca for your clients.
> # certutil -d . -L -n "CA certificate" -a > my-public-ca.asc
>
>
> While logged in to the 2nd RHDS i.e. ldap2.example.com, run the following:
>
> # service dirsrv stop
> # cd /etc/disrv/slapd-INSTANCE2/
> # mv /path/to/server2.p12 /etc/dirsrv/slapd-INSTANCE2/
> # mv /path/to/cacert.asc /etc/dirsrv/slapd-INSTANCE2/
> # pk12util -d . -i server2.p12
> # certutil -A -d . -n "CA certificate" -t "CT,," -a -i cacert.asc
> # service dirsrv start
>
>
> Hope that helps.
>
>
> Regards
> Arpit Tolani
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20130115/d907312c/attachment.html>
More information about the 389-users
mailing list