certutil: Could not find cert: CA Certificate
: File not found.
so it does not find the file ..
whats shall i do ??
Thanks
# certutil -d . -L -n "CA certificate" -a > my-public-ca.asc
It should be same as created, You actually have "CA certificate" & you are trying to extract "CA Certificate" Looks at upper/lower case.
Regards
Arpit Tolani
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
07-28-2012, 10:55 AM
fosiul alam
How to export CA certificate into client from server
Hi
Dont know how to reply on same thread.
but thank for* quick reply.
its case sensitive. so I created the cert file
and i put that one into client , and i configured as documentated
/etc/openldap/ldap.conf
URI ldap://ldap-2.fosiul.lan/
BASE dc=fosiul,dc=lan
TLS_CACERTDIR /etc/openldap/cacerts/
TLS_REQCERT allow
#TLS_CACERT /etc/openldap/cacerts/cacert.asc
and in /etc/ldap.conf
base dc=fosiul,dc=lan
uri ldap://ldap-2.fosiul.lan/
ssl start_tls
tls_cacertdir /etc/openldap/cacerts/
and i can see it created another file in /etc/openldap/cacerts/ directory like ths
5be5959f.0**** ds-ca.crt
and when i do like this
id usrname
it does not find the user and i dont see any error in /var/log/message
so its like its connecting to ldap. .but it does not get any information
do i have to say Cn="Directory Manager" some where in ldap.conf file ??
thanks for your help.
Fosiul
but in clients , log file
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
07-28-2012, 11:07 AM
Arpit Tolani
How to export CA certificate into client from server
On Sat, Jul 28, 2012 at 4:25 PM, fosiul alam <expertalert@gmail.com> wrote:
Hi
Dont know how to reply on same thread.
Just click on reply & leave the subject of mail un-touched
*
but thank for* quick reply.
its case sensitive. so I created the cert file
and i put that one into client , and i configured as documentated
/etc/openldap/ldap.conf
URI ldap://ldap-2.fosiul.lan/
BASE dc=fosiul,dc=lan
TLS_CACERTDIR /etc/openldap/cacerts/
TLS_REQCERT allow
#TLS_CACERT /etc/openldap/cacerts/cacert.asc
and in /etc/ldap.conf
base dc=fosiul,dc=lan
uri ldap://ldap-2.fosiul.lan/
ssl start_tls
tls_cacertdir /etc/openldap/cacerts/
You should use pam_password clear because Your password is being hashed by your client system before it is sent to the Directory Server.* This is not allowed since the server would have no way to enforce it's password policy against a pre-hashed password.* You need to configure /etc/ldap.conf to send the clear text password to the LDAP server.* You should use SSL/TLS to protect the password in transit (which you already have).
*
and i can see it created another file in /etc/openldap/cacerts/ directory like ths
5be5959f.0**** ds-ca.crt
and when i do like this
id usrname
it does not find the user and i dont see any error in /var/log/message
so its like its connecting to ldap. .but it does not get any information
do i have to say Cn="Directory Manager" some where in ldap.conf file ??
thanks for your help.
Fosiul
but in clients , log file
Copy the my-public-ca.asc file in /etc/openldap/cacerts
# cp my-public-ca.asc /etc/openldap/cacerts
# cacertdir_rehash /etc/openldap/cacerts
This will create file like below. (Check for the soft link file ending with .0)
Now try to run ldapsearch using -ZZ (for start_tls) Make sure you give
the exact hostname which you used while creating the cert in this step.
"certutil -S -n "server-cert" -s "cn=directory.example.com""
If this works, Then your TLS is working. Now try to configure pam_ldap with tls.
Regards
Arpit Tolani
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
07-28-2012, 11:21 AM
Grzegorz Dwornicki
How to export CA certificate into client from server
To make system aware of users in 389 you need to configure other files: /etc/ldap.conf (el5 systems) or /etc/nss_ldap.conf (el6 systems) + /etc/nsswitch.conf + PAM modules (/etc/pam.d/system-auth + install pam_ldap module). On RHEL/Fedora/Centos/SL you can do this easy way using authconfig, authconfig-tui or system-config-authentication. I don't recommend messing manually with PAM without reading some docs about them, because you can break login in your system.
Consider using one three tools I have toold about. They can modify all required files. You may be required to install nss-pam-ldapd package on el6 systems for PAM to work, this will install nslcd daemon too as dependency. I usually set FORLEGACY to yes in /etc/systemconfig/authconfig on el6 systems
2012/7/28 fosiul alam <expertalert@gmail.com>
Hi
Dont know how to reply on same thread.
but thank for* quick reply.
its case sensitive. so I created the cert file
and i put that one into client , and i configured as documentated
/etc/openldap/ldap.conf
URI ldap://ldap-2.fosiul.lan/
BASE dc=fosiul,dc=lan
TLS_CACERTDIR /etc/openldap/cacerts/
TLS_REQCERT allow
#TLS_CACERT /etc/openldap/cacerts/cacert.asc
and in /etc/ldap.conf
base dc=fosiul,dc=lan
uri ldap://ldap-2.fosiul.lan/
ssl start_tls
tls_cacertdir /etc/openldap/cacerts/
How to export CA certificate into client from server
