LDAP SSL Problems (was: service script (/etc/init.d/ldap))
Craig White
craigwhite at azapple.com
Tue Nov 15 01:52:20 UTC 2005
On Mon, 2005-11-14 at 17:15 -0800, Daniel B. Thurman wrote:
> >From: fedora-list-bounces at redhat.com
> >[mailto:fedora-list-bounces at redhat.com]On Behalf Of Craig White
> >Sent: Monday, November 14, 2005 5:10 PM
> >To: For users of Fedora Core releases
> >Subject: RE: LDAP SSL Problems (was: service script (/etc/init.d/ldap))
> >
> >
> >On Mon, 2005-11-14 at 16:42 -0800, Daniel B. Thurman wrote:
> >
> >> See: if LANG=C klist -k "$KRB5_KTNAME" | tail -n 4 | awk
> >'{print $2}' |
> >> ===============^^^^^
> >> s/b ===========$klist
> >----
> >your previous email referenced the missing '$' on the word kinit not
> >klist which was significant since kinit doesn't exist in the file but
> >klist clearly does in a number of places. I understand how you
> >transposed it though - going buggy after typing it a number of times it
> >probably just flowed naturally through your fingers.
> >
> >Craig
> >
> >
>
> Yea... sorry... I was trying to solve my problem with ldap
> and it was getting a bit frustrating - so I lost it somewhere
> when my fingers starting running away from me :-)
>
> Your certificate creation method did not work. I saw that I
> had to change the openssl.cnf path and I did get the two
> files: ldap.csr and ldap.key but missing is ca.certs and
> ca.key.
-----
sorry, perhaps I missed it...
here is my entire script... (watch for line wrap because of email line
limits)
# cat /root/scripts/make.certs
#!/bin/sh
cd /usr/share/ssl/certs
mkdir /etc/ssl
openssl genrsa -des3 -out ca.key 2048
openssl genrsa -des3 -out server.key 1024
#### generate web server certificate ####
openssl rsa -in server.key -out server.key.unsecure
openssl req -config /usr/share/ssl/openssl.cnf -new -x509 -days 3650 -
key server.key.unsecure -out server.crt
rm -fr /etc/httpd/conf/ssl.crt/server.crt
cp server.crt /etc/httpd/conf/ssl.crt/
rm -fr /etc/httpd/conf/ssl.key/server.key
cp server.key.unsecure /etc/httpd/conf/ssl.key/server.key
#### generate cyrus certificate ####
openssl req -config /usr/share/ssl/openssl.cnf -new -x509 -nodes -
out /etc/ssl/cyrus-global.pem -keyout /etc/ssl/cyrus-global.pem -days
3650
openssl gendh 512 >> /etc/ssl/cyrus-global.pem
#### generate openldap certificate ####
openssl req -config /usr/share/ssl/openssl.cnf -new -x509 -days 3650 -
key ca.key -out ca.cert
openssl genrsa -out ldap.key 1024
openssl req -config /usr/share/ssl/openssl.cnf -new -key ldap.key -out
ldap.csr
openssl x509 -req -in ldap.csr -out ldap.cert -CA ca.cert -CAkey ca.key
-CAcreateserial -days 3650
cp ca.cert /etc/ssl
cp ca.key /etc/ssl
cp ldap.key /etc/ssl
cp ldap.csr /etc/ssl
Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the users
mailing list