Sorry for confusion, "server clients certs" means generating certs for
client. These are exact same steps from the Redhat manuals.
This works if I copy this cacert.asc file to my client machines. But how to
get clients both on two LDAP servers ? As an example, if I specify both
ldap server names say
ldap01.net ldap02.net and if one goes down it will
try to get the authentication work from the secondary one.
What am I doing is, Generating the cacert.asc from one server and importing
it to the second server and copying the same cacert.asc across all the
client machines.
--
http://about.me/chandank
On Sat, Jan 5, 2013 at 4:37 PM, Orion Poplawski <orion(a)cora.nwra.com> wrote:
On 01/04/2013 05:34 PM, Chandan Kumar wrote:
> Hello All,
>
> I was wondering if anyone could help me with this setup. I have would
> like to have 2 ldap servers specified on the clients using SSSD.
>
> Without TLS/Encryption (PAD NSS) it works just fine, however, the moment
> I turn on TLS/StratTLS only one server works whereas other does not and
> gives the "Certification Not trusted" error.
>
> Here what I did.
>
> certutil -S -n "CA certificate" -s "cn=My Org CA
cert,dc=my,dc=net" -2
> -x -t "CT,," -m 1000 -v 120 -d . -k rsa -f /tmp/pwdfile
>
> # Generate Directory server clients certs
> certutil -S -n "Server-Cert" -s "cn=ldap.my.net
<
http://ldap.my.net>" -c
>
> "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -k rsa -f
/tmp/pwdfile
>
Not sure what you mean by "server clients certs" here. This is the server
cert for this server. I would think the subject name should just be "
ldap.my.net", but maybe this form works too. You also need to do this on
your second server using its DNS name.
# Export it for ldap clients and other servers
> certutil -d . -L -n "CA certificate" -a > cacert.asc
>
> Then I imported the same cacert.asc file to another 389 server using
> "certutil". And copied it at the client as well.
>
> I would see the certificate got imported in the GUI console but due to
> some reason everytime I query from the client to secondary server (where
> I imported the key) it just does not work.
>
> Would appreciate any help. Not sure what step I am using or what am I
> doing wrong.
>
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA/CoRA Division FAX: 303-415-9702
3380 Mitchell Lane orion(a)cora.nwra.com
Boulder, CO 80301
http://www.cora.nwra.com
--
389 users mailing list
389-users(a)lists.fedoraproject.**org <389-users(a)lists.fedoraproject.org>
https://admin.fedoraproject.**org/mailman/listinfo/389-users<https://a...