SSH Public keys
by Conor O'Callaghan
Hi all,
I'm just wondering if anyone has experience storing public keys in 389
directory server to allow a user to login using an ssh-key rather than a
password? I am running the server on Ubuntu 13.10 and the client is Ubuntu
12.04.
Thanks all,
Conor
10 years, 3 months
Upgraded to RHDS 9.1 but Console is Still Looking for 9.0 JAR
by Paul Whitney
Hi,
I recently updated RHDS 9.0 servers to 9.1. I am getting mixed results with the update. Steps taken:
1. Stop all dirsrv and dirsrv-admin services
2. Executed yum localupdate *.rpm
3. After the yum completes. Execute setup-ds.pl --debug --update (no errors generated, status is databases updated successfully.
4. Reinstall openldap (based on RHBA-2013-0778).
5. Reboot system. (I do this because restarting the dirsrv-admin service still generates the NSS error in the error log, but with a reboot it does not.)
6. connect to system and see jars have not loaded. I select Admin and an error states I do not have 9.0jar and cannot install.
I checked the master and it no longer has the 9.0 jar, but rather the 9.1 But for some reason the admin server is still looking for 9.0 jars.
I tried to change the /etc/dirsv/admin-serv/local.conf file to look like a working 9.1 local.conf file, but it seems that file is ignored.
Looking for ideas on what else I can do "upgrade" the directory server.
Paul M. Whitney
E-mail: paul.whitney(a)mac.com
10 years, 3 months
DS+SSL Start up Errors...
by David Barr
Good Morning!
I’m working my way through
http://directory.fedoraproject.org/wiki/Howto:SSL
trying to create the certificates with OpenSSL, and then get them added to the NSS database. Most of that is fine. It’s only at the end that the directory server refuses to start, with these errors:
###
SSL alert: Security Initialization: Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.)
ERROR: SSL Initialization Failed.
###
Here’s what I’m going through. These commands are cut/pasted out of a script, so you’ll see my variable substitution. As far as that goes, these commands all return without error. (For what it’s worth, once everything works, I plan to post the script as an alternative to setupssl.sh and setupssl2.sh.)
### Private Key:
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:$PRIVATE_RSA_BITS -outform PEM -out $F_PRIVATE_KEY
### CA Certificate:
openssl req -new -x509 -extensions v3_ca -key $F_PRIVATE_KEY -days $CERT_CA_EXPIRE \
-subj $CERT_CA_SUBJ -out $F_CERT_CA
### Host Certificate Request:
openssl req -new -nodes -key $F_PRIVATE_KEY -days $HOST_CERT_EXPIRE -subj $CERT_CA_SUBJ \
-out $F_CERT_REQ
### Self-sign the Request:
openssl ca -keyfile $F_PRIVATE_KEY -selfsign -days $HOST_CERT_EXPIRE -in $F_CERT_REQ \
-out $F_HOST_CERT
### Create a password file to use with creating and populating the certificate database:
echo $PASSWORD > $F_PW_FILE
chown nobody:nobody $F_PW_FILE
chmod u+r,u-wxs,g-rwxs,o-rwxt $F_PW_FILE
### Create the pin.txt file for NSPR:
echo "Internal (Software) Token:$PASSWORD" > $F_PINFILE
chown nobody:nobody $F_PINFILE
chmod u+r,u-wxs,g-rwxs,o-rwxt $F_PINFILE
### Adapt the host certificate to PKCS12 format:
openssl pkcs12 -export -in $F_HOST_CERT -inkey $F_PRIVATE_KEY -out $F_HOST_PKCS \
-passout file:${F_PW_FILE} -name "${PKCS_CERT_NAME}"
### Create the certificate database:
certutil -N -d sql:$D_INSTANCE_VAR -f $F_PW_FILE
### Import the host certificate:
pk12util -v -i $F_HOST_PKCS -d sql:$D_INSTANCE_VAR -k $F_PW_FILE -w $F_PW_FILE
### Import the CA certificate:
certutil -A -d sql:$D_INSTANCE_VAR -n "Local CA Certificate" -t CT,, -a -i $F_CERT_CA -f $F_PW_FILE
### List the certificates (This returns both certificates in good order):
certutil -L -d sql:$D_INSTANCE_VAR
### Finally, the LDAP modifications (I also set up the “MemberOf” plugin, here. That’s been redacted for clarity.):
ldapmodify -x -h localhost -D "cn=Directory Manager" -w $PASSWORD <<EOT
dn: cn=config
changeType: modify
replace: passwordStorageScheme
passwordStorageScheme: SSHA512
-
add: nsslapd-security
nsslapd-security: on
-
replace: nsslapd-ssl-check-hostname
nsslapd-ssl-check-hostname: off
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on
-
replace: nsSSLClientAuth
nsSSLClientAuth: allowed
-
add: nsSSL3Ciphers
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,
+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,
+tls_rsa_export1024_with_des_cbc_sha,-rc4,-rc4export,-rc2,-rc2export,-des,
-desede3
dn: cn=RSA,cn=encryption,cn=config
changetype: add
objectclass: top
objectclass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: Server-Cert
nsSSLToken: internal (software)
nsSSLActivation: on
EOT
After that, `service restart dirsrv ${INSTANCE}`, as nobody:nobody, returns the errors I showed at the top of this message.
Thoughts?
Thanks!
David
--
David - Offbeat http://dafydd.livejournal.com
dafydd - Online http://pgp.mit.edu/
Battalion 4 - Black Rock City Emergency Services Department
Integrity*Commitment*Communication*Support
----5----1----5----2----5----3----5----4----5----5----5----6----5----7--
Pavlov walks into a bar. The phone rings and he says,
"Damn! I forgot to feed the dog!"
10 years, 3 months
389DS UUID with Apple calendarserver
by Oliver Werner
hello guys,
I use OpenLDAP and would like to upgrade to 389DS
In OpenLDAP a field entryUUID exists what I use on my Apple calendar server. It has the format of the GUID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.
In 389DS I have only found the nsUniqueID field with XXXXXXX -XXXXXXXX-XXXXXXXX-XXXXXXXX Format. If there is an attribute in 389DS for using the GUID Format?
Thank you for your help
Sincerely yours
Oliver
10 years, 3 months
Re: [389-users] "Re:Binding Directory Manager as default Bind when using SSL/TLS certificate (please help)"
by Fosiul alam
Hi Predrag
I just realized that from server itself i can do search without
providing BindDN and password.
But Cant do this from client....
example bellow from Server itself
[root@puppet-1 slapd-puppet-1]# ldapsearch -xZZZ
# extended LDIF
#
# LDAPv3
# base <dc=fosiul,dc=lan> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# fosiul.lan
dn: dc=fosiul,dc=lan
dc: fosiul
objectClass: domain
objectClass: top
# groups, fosiul.lan
dn: ou=groups,dc=fosiul,dc=lan
ou: groups
objectClass: organizationalUnit
objectClass: top
# search result
search: 3
result: 0 Success
# numResponses: 3
# numEntries: 2
[root@puppet-1 slapd-puppet-1]#
So, looks like there is a restriction from Client anonymous search ..
Any idea where to look at ??
10 years, 3 months