FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 03-05-2012, 05:17 PM
Gilbert Martin
 
Default LDAPS configuration/installation

Hi All,
I've been trying to get SSL working with my LDAP server, but haven't had success. I'm currently implementing a new test environment. *Does anyone have some quick and dirty instruction on setting up a CA and SSL certs for my directory server and clients?



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-05-2012, 06:16 PM
Arpit Tolani
 
Default LDAPS configuration/installation

Hie

2012/3/5 Gilbert Martin <gilbert.martin@gmail.com>

Hi All,
I've been trying to get SSL working with my LDAP server, but haven't had success. I'm currently implementing a new test environment. *Does anyone have some quick and dirty instruction on setting up a CA and SSL certs for my directory server and clients?



From my cheat sheet

The first thing we need to do is create a new key store.

# cd /etc/dirsrv/slapd-directory/
# mv cert8.db key3.db secmod.db /root/
# certutil -N -d .

*
Then we create your CA.

# certutil -S -n "CA certificate" -s "cn=CA cert,dc=directory,dc=example,dc=com" -2 -x -t "CT,," -m 1000 -v 720 -d . -k rsa


Make sure you say yes to "Is this a CA certificate [y/N]?" and everything else will be default.

Next we create your server cert. Make sure your cn is your FQDN of this server.

# certutil -S -n "directory-Server-Cert" -s "cn=directory.example.com" -c "CA certificate" -t "u,u,u" -m 1001 -v 720 -d . -k rsa


Then check to make sure it looks ok

certutil -L -d /etc/dirsrv/slapd-directory/

Create your public ca for your clients.

# certutil -d . -L -n "CA certificate" -a *> my-public-ca.asc


In your /etc/dirsrv/slapd-directory/dse.ldif make your nsSSLPersonalitySSL look like the following.

nsSSLPersonalitySSL: directory-Server-Cert

That should be it. You have to restart the directory server after above steps.


After this configure Directory Server to use SSL.

Set
the secure port for the server to use for TLS/SSL communications. In
the Configuration area, select the Settings tab, and enter the value in
the Encrypted Port field.

- The encrypted port number must not
be the same port number used for normal LDAP communications. By default,
the standard port number is 389, and the secure port is 636.

-
Select the Configuration tab, and then select the top entry in the
navigation tree in the left pane. Select the Encryption tab in the right
pane.

- Select the Enable SSL for this Server checkbox.

- Check the Use this Cipher Family checkbox.

- Select the certificate to use from the drop-down menu.





--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users


--
Regards
Arpit Tolani



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-06-2012, 08:41 PM
Chun Tat David Chu
 
Default LDAPS configuration/installation

The cheat sheet is here http://directory.fedoraproject.org/wiki/Howto:SSL

You just need to read it first and then give it a try.* I followed this instruction couple years ago.


- dc

2012/3/5 Arpit Tolani <arpittolani@gmail.com>

Hie

2012/3/5 Gilbert Martin <gilbert.martin@gmail.com>


Hi All,
I've been trying to get SSL working with my LDAP server, but haven't had success. I'm currently implementing a new test environment. *Does anyone have some quick and dirty instruction on setting up a CA and SSL certs for my directory server and clients?




From my cheat sheet

The first thing we need to do is create a new key store.

# cd /etc/dirsrv/slapd-directory/
# mv cert8.db key3.db secmod.db /root/

# certutil -N -d .

*
Then we create your CA.

# certutil -S -n "CA certificate" -s "cn=CA cert,dc=directory,dc=example,dc=com" -2 -x -t "CT,," -m 1000 -v 720 -d . -k rsa



Make sure you say yes to "Is this a CA certificate [y/N]?" and everything else will be default.

Next we create your server cert. Make sure your cn is your FQDN of this server.

# certutil -S -n "directory-Server-Cert" -s "cn=directory.example.com" -c "CA certificate" -t "u,u,u" -m 1001 -v 720 -d . -k rsa



Then check to make sure it looks ok

certutil -L -d /etc/dirsrv/slapd-directory/

Create your public ca for your clients.

# certutil -d . -L -n "CA certificate" -a *> my-public-ca.asc



In your /etc/dirsrv/slapd-directory/dse.ldif make your nsSSLPersonalitySSL look like the following.

nsSSLPersonalitySSL: directory-Server-Cert

That should be it. You have to restart the directory server after above steps.



After this configure Directory Server to use SSL.

Set
the secure port for the server to use for TLS/SSL communications. In
the Configuration area, select the Settings tab, and enter the value in
the Encrypted Port field.

- The encrypted port number must not
be the same port number used for normal LDAP communications. By default,
the standard port number is 389, and the secure port is 636.

-
Select the Configuration tab, and then select the top entry in the
navigation tree in the left pane. Select the Encryption tab in the right
pane.

- Select the Enable SSL for this Server checkbox.

- Check the Use this Cipher Family checkbox.

- Select the certificate to use from the drop-down menu.






--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users



--
Regards
Arpit Tolani




--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 10:11 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org