Jeff Moody wrote:
I'm trying to set up two 389 Directory Services servers in a
replication scenario. I can do this quite easily without any SSL/TLS setup.
In an effort to improve the security of our environment, I would like to get TLS
configured so that this replication (and all LDAP authentication attempts) are encrypted.
Using the scripts provided at
http://directory.fedoraproject.org/wiki/Howto:SSL I can get
one server using SSL; however when I try and establish the cross-server communication, the
SSL/TLS keys appear to fall apart.
My understanding from the logs on the systems is that the reason why the two servers
(FDSMEM1 and FDSMEM2) do not have a common CA and so their server-certs do not trust each
other.
So, I have set up TinyCA and created a CA cert from a third server. I have generated
manual cert requests on the two LDAP servers (after registering the CA cert) and generated
the certificates. Replication appears to be working through TLS.
Now, the problem I am having.
When I run the 'certutil -L -d . -n "CA certificate" -a >
cacert.asc' command I get a cacert.asc. When I deploy this cacert.asc to my LDAP
clients as the key for TLS to start, though, it appears that something isn't
handshaking well and I am never able to query the LDAP server from a client.
Has anyone gotten a 389DS system (or pair of systems) fully working with certs managed
& created by TinyCA2? If so, what are the gotchas that I must be missing to get this
working? Would anyone be willing to help me write a HOWTO on getting this working so that
it would be outlined more effectively for newer users?
I'm not sure what's going on with your setup. I do know that, in order
for an SSL client to talk to an SSL server, the SSL client needs the CA
cert of the CA that issued the SSL server's cert.
There is some information about TinyCA2 here -
http://directory.fedoraproject.org/wiki/Howto:WindowsSync#With_TinyCA2 -
don't know how accurate it is, or how applicable it is to your situation.
Thanks.
--
Jeff Moody
Senior Systems Engineer
Electronic Vaulting Services
5050 Poplar Ave., Suite 1600
Memphis, TN 38157
(901) 259-2387 - 24x7 Helpdesk
(901) 213-5146 - Office
(901) 497-1444 - Mobile
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users