FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 07-27-2012, 06:15 PM
fosiul alam
 
Default How to export CA certificate into client from server

HI* i have installed ssl certificate from bellow script
https://github.com/richm/scripts/blob/master/setupssl2.sh

it went fine.
but I dont understand, how will i create Certificate file for the clients.


according to documentation :http://directory.fedoraproject.org/wiki/Howto:SSL#Configure_LDAP_clients
i need to expoert CA cert from ASCII which is

cacert.asc , but dont understand how will i do that

I have cacert.asc in /etc/dirsrv/slapd-instance directory
but dont know how to export cert file into client

/etc/openldap/cacerts/I am trying this from last couple of day.
can any one please help me .

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-27-2012, 11:35 PM
Grzegorz Dwornicki
 
Default How to export CA certificate into client from server

Well back in centos/redhat/fedora directory server this could be done like this:

First you should check what certificates names you have in certutil database. In slapd directory type:

certutil -d . -L


this should show you all certificates in database (server certificates aswell). Usualy CA certs are named soo you could recognize them.

Now you need to chose the CA certificate from the list and use it in this command:


certutil -d . -L -n "THE_NAME_OF_YOU_CA_CERT_HERE" -a > /root/ds-ca.crt

I did not use much 389 but i think this should work on 389 as well as on el5 distros where I've tested this way of exporting certs.


Rest of atricle should be clear now. Remember to enable ssl/tls or starttls on 389.

Good luck
Grzegorz

2012/7/27 fosiul alam <expertalert@gmail.com>

HI* i have installed ssl certificate from bellow script
https://github.com/richm/scripts/blob/master/setupssl2.sh


it went fine.
but I dont understand, how will i create Certificate file for the clients.


according to documentation :http://directory.fedoraproject.org/wiki/Howto:SSL#Configure_LDAP_clients
i need to expoert CA cert from ASCII which is


cacert.asc , but dont understand how will i do that

I have cacert.asc in /etc/dirsrv/slapd-instance directory
but dont know how to export cert file into client

/etc/openldap/cacerts/I am trying this from last couple of day.
can any one please help me .


--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-28-2012, 10:14 AM
fosiul alam
 
Default How to export CA certificate into client from server

Hi
Thanks for reply.
but there is a problem ..
is there* is the example

certutil -d . -L

Certificate Nickname**************************************** Trust Attributes
************************************************** ********** SSL,S/MIME,JAR/XPI


CA certificate*************************************** ******* CTu,u,u
server-cert********************************************** *** u,u,u
Server-Cert********************************************** *** u,u,u
[root@ldap-2 slapd-ldap-2]# certutil -d . -L -n "CA Certificate" -a > /root/ds-ca.crt

certutil: Could not find cert: CA Certificate
: File not found.

so it does not find the file ..

whats shall i do ??
Thanks


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-28-2012, 10:21 AM
Grzegorz Dwornicki
 
Default How to export CA certificate into client from server

I am not sure about case sensivity in names soo just to be sure: your CA is named┬* "CA certificate" and you used name "CA Certtificate"



28-07-2012 12:15, "fosiul alam" <expertalert@gmail.com> napisał(a):
Hi
Thanks for reply.
but there is a problem ..
is there┬* is the example

certutil -d . -L

Certificate Nickname┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬* ┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬* Trust Attributes
┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬* ┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬* ┬*┬*┬*┬*┬*┬*┬*┬*┬*┬* SSL,S/MIME,JAR/XPI



CA certificate┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬ *┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬ *┬* CTu,u,u
server-cert┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬* ┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬* ┬* u,u,u
Server-Cert┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬* ┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬*┬* ┬* u,u,u
[root@ldap-2 slapd-ldap-2]# certutil -d . -L -n "CA Certificate" -a > /root/ds-ca.crt


certutil: Could not find cert: CA Certificate
: File not found.

so it does not find the file ..

whats shall i do ??
Thanks



--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-28-2012, 10:21 AM
Arpit Tolani
 
Default How to export CA certificate into client from server

Hello

On Sat, Jul 28, 2012 at 3:44 PM, fosiul alam <expertalert@gmail.com> wrote:

Hi
Thanks for reply.
but there is a problem ..
is there* is the example

certutil -d . -L

Certificate Nickname**************************************** Trust Attributes
************************************************** ********** SSL,S/MIME,JAR/XPI



CA certificate*************************************** ******* CTu,u,u
server-cert********************************************** *** u,u,u
Server-Cert********************************************** *** u,u,u
[root@ldap-2 slapd-ldap-2]# certutil -d . -L -n "CA Certificate" -a > /root/ds-ca.crt


certutil: Could not find cert: CA Certificate
: File not found.

so it does not find the file ..

whats shall i do ??
Thanks

# certutil -d . -L -n "CA certificate" -a > my-public-ca.asc
It should be same as created, You actually have "CA certificate" & you are trying to extract "CA Certificate" Looks at upper/lower case.


Regards
Arpit Tolani

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-28-2012, 10:55 AM
fosiul alam
 
Default How to export CA certificate into client from server

Hi
Dont know how to reply on same thread.

but thank for* quick reply.

its case sensitive. so I created the cert file
and i put that one into client , and i configured as documentated

/etc/openldap/ldap.conf


URI ldap://ldap-2.fosiul.lan/
BASE dc=fosiul,dc=lan
TLS_CACERTDIR /etc/openldap/cacerts/
TLS_REQCERT allow
#TLS_CACERT /etc/openldap/cacerts/cacert.asc


and in /etc/ldap.conf
base dc=fosiul,dc=lan

uri ldap://ldap-2.fosiul.lan/
ssl start_tls
tls_cacertdir /etc/openldap/cacerts/

#TLS_CACERT /etc/openldap/cacerts/cacert.asc
pam_password md5



and i can see it created another file in /etc/openldap/cacerts/ directory like ths

5be5959f.0**** ds-ca.crt

and when i do like this

id usrname

it does not find the user and i dont see any error in /var/log/message

so its like its connecting to ldap. .but it does not get any information


do i have to say Cn="Directory Manager" some where in ldap.conf file ??

thanks for your help.

Fosiul

but in clients , log file


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-28-2012, 11:07 AM
Arpit Tolani
 
Default How to export CA certificate into client from server

On Sat, Jul 28, 2012 at 4:25 PM, fosiul alam <expertalert@gmail.com> wrote:

Hi
Dont know how to reply on same thread.

Just click on reply & leave the subject of mail un-touched
*

but thank for* quick reply.

its case sensitive. so I created the cert file
and i put that one into client , and i configured as documentated

/etc/openldap/ldap.conf


URI ldap://ldap-2.fosiul.lan/
BASE dc=fosiul,dc=lan
TLS_CACERTDIR /etc/openldap/cacerts/
TLS_REQCERT allow
#TLS_CACERT /etc/openldap/cacerts/cacert.asc


and in /etc/ldap.conf
base dc=fosiul,dc=lan


uri ldap://ldap-2.fosiul.lan/
ssl start_tls
tls_cacertdir /etc/openldap/cacerts/

#TLS_CACERT /etc/openldap/cacerts/cacert.asc
pam_password md5


You should use pam_password clear because Your password is being hashed by your client system before it is sent to the Directory Server.* This is not allowed since the server would have no way to enforce it's password policy against a pre-hashed password.* You need to configure /etc/ldap.conf to send the clear text password to the LDAP server.* You should use SSL/TLS to protect the password in transit (which you already have).

*


and i can see it created another file in /etc/openldap/cacerts/ directory like ths


5be5959f.0**** ds-ca.crt

and when i do like this

id usrname

it does not find the user and i dont see any error in /var/log/message

so its like its connecting to ldap. .but it does not get any information



do i have to say Cn="Directory Manager" some where in ldap.conf file ??

thanks for your help.

Fosiul

but in clients , log file



Copy the my-public-ca.asc file in /etc/openldap/cacerts
# cp my-public-ca.asc /etc/openldap/cacerts
# cacertdir_rehash /etc/openldap/cacerts

This will create file like below. (Check for the soft link file ending with .0)


[root@atolani cacerts]# ll
total 4
lrwxrwxrwx. 1 root root *16 Apr 24 11:16 2c47a1a7.0 -> my-public-ca.asc
-rw-r--r--. 1 root root 851 Apr *9 01:13 my-public-ca.asc

Now try to run ldapsearch using -ZZ (for start_tls) Make sure you give
the exact hostname which you used while creating the cert in this step.
"certutil -S -n "server-cert" -s "cn=directory.example.com""

Something like this.


ldapsearch -x -ZZ -D "cn=Directory manager" -w password -h directory.example.com -b "dc=example,dc=com"

If this works, Then your TLS is working. Now try to configure pam_ldap with tls.


Regards
Arpit Tolani




--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-28-2012, 11:21 AM
Grzegorz Dwornicki
 
Default How to export CA certificate into client from server

To make system aware of users in 389 you need to configure other files: /etc/ldap.conf (el5 systems) or /etc/nss_ldap.conf (el6 systems) + /etc/nsswitch.conf + PAM modules (/etc/pam.d/system-auth + install pam_ldap module). On RHEL/Fedora/Centos/SL you can do this easy way using authconfig, authconfig-tui or system-config-authentication. I don't recommend messing manually with PAM without reading some docs about them, because you can break login in your system.


Consider using one three tools I have toold about. They can modify all required files. You may be required to install nss-pam-ldapd package on el6 systems for PAM to work, this will install nslcd daemon too as dependency. I usually set FORLEGACY to yes in /etc/systemconfig/authconfig on el6 systems


2012/7/28 fosiul alam <expertalert@gmail.com>

Hi
Dont know how to reply on same thread.

but thank for* quick reply.

its case sensitive. so I created the cert file
and i put that one into client , and i configured as documentated

/etc/openldap/ldap.conf



URI ldap://ldap-2.fosiul.lan/
BASE dc=fosiul,dc=lan
TLS_CACERTDIR /etc/openldap/cacerts/
TLS_REQCERT allow
#TLS_CACERT /etc/openldap/cacerts/cacert.asc


and in /etc/ldap.conf
base dc=fosiul,dc=lan


uri ldap://ldap-2.fosiul.lan/
ssl start_tls
tls_cacertdir /etc/openldap/cacerts/

#TLS_CACERT /etc/openldap/cacerts/cacert.asc
pam_password md5



and i can see it created another file in /etc/openldap/cacerts/ directory like ths


5be5959f.0**** ds-ca.crt

and when i do like this

id usrname

it does not find the user and i dont see any error in /var/log/message

so its like its connecting to ldap. .but it does not get any information



do i have to say Cn="Directory Manager" some where in ldap.conf file ??

thanks for your help.

Fosiul

but in clients , log file



--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-28-2012, 11:24 AM
fosiul alam
 
Default How to export CA certificate into client from server

Hi
I am not getting reply by email, so i cant click on reply...
how will i get reply by email ??

@<arpittolani@gmail.com>

i think i have done something wrong* to create certs

I have used bellow script to create all the certificate :https://github.com/richm/scripts/blob/master/setupssl2.sh

now when i do this ,i get bellow error ..


ldapsearch -x -ZZ -D "cn=Directory manager" -w password -h ldap-2 -b "dc=fosiul,dc=lan"

ldap_start_tls: Connect error (-11)
*** additional info: TLS: hostname does not match CN in peer certificate

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-28-2012, 11:31 AM
Arpit Tolani
 
Default How to export CA certificate into client from server

Hie

On Sat, Jul 28, 2012 at 4:54 PM, fosiul alam <expertalert@gmail.com> wrote:

Hi
I am not getting reply by email, so i cant click on reply...
how will i get reply by email ??

@<arpittolani@gmail.com>

i think i have done something wrong* to create certs


I have used bellow script to create all the certificate :https://github.com/richm/scripts/blob/master/setupssl2.sh

now when i do this ,i get bellow error ..



ldapsearch -x -ZZ -D "cn=Directory manager" -w password -h ldap-2 -b "dc=fosiul,dc=lan"

ldap_start_tls: Connect error (-11)
*** additional info: TLS: hostname does not match CN in peer certificate



-


Can you start with the scratch, with the steps given in
http://lists.fedoraproject.org/pipermail/389-users/2012-March/014200.html


Use it as per your environment. Change the certificate names if you want, I didnt used default server cert

Regards
Arpit Tolani


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 04:24 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ę2007 - 2008, www.linux-archive.org