3:43 p.m.
Hi all,
I am currently trying to script the setup of a directory using the ConfigFile entry within
an INF file, and so far I've hit a snag.
In order to enable SSL on the directory, first I must use certutil to import the
certificate to be used, otherwise the attempt to add the cn=RSA,cn=encryption,cn=config
entry fails saying "No such object". If I set up the directory, then manually
add the certificates, then manually enable SSL by adding the
cn=RSA,cn=encryption,cn=config entry (and various other SSL related configs), it seems to
work fine.
Is there some way of getting setup-ds.pl to import a given certificate (p12 file,
whatever) when the server is set up, in addition to creating the initial certificate
database within /etc/dirsrv/slapd-INSTANCE/?
Regards,
Graham
--
1:18 a.m.
Obviously the setup-ds.pl script can be modified to import certificate,
but I'd prefer installing server without SSL firstly and then use
additional script to install certificate(s) and enable SSL for
server/admin unattended.
Let me know if you need any examples.
Regards,
Vlad.
On 23/12/12 22:43, Graham Leggett wrote:
Hi all,
I am currently trying to script the setup of a directory using the ConfigFile entry
within an INF file, and so far I've hit a snag.
In order to enable SSL on the directory, first I must use certutil to import the
certificate to be used, otherwise the attempt to add the cn=RSA,cn=encryption,cn=config
entry fails saying "No such object". If I set up the directory, then manually
add the certificates, then manually enable SSL by adding the
cn=RSA,cn=encryption,cn=config entry (and various other SSL related configs), it seems to
work fine.
Is there some way of getting setup-ds.pl to import a given certificate (p12 file,
whatever) when the server is set up, in addition to creating the initial certificate
database within /etc/dirsrv/slapd-INSTANCE/?
Regards,
Graham
--
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
3:03 a.m.
On 24 Dec 2012, at 09:18, Vlad <vovan(a)vovan.nl> wrote:
Obviously the setup-ds.pl script can be modified to import
certificate, but I'd prefer installing server without SSL firstly and then use
additional script to install certificate(s) and enable SSL for server/admin unattended.
Let me know if you need any examples.
This is a real pity.
The ConfigFile option is a clean and simple way to load ldif without messing about with
trying to script an ldapmodify, which in turn means trying to script a secure way to pass
the credentials.
It didn't make any sense that you could preconfigure the directory but not
preconfigure the certs, which has to be done before you can preconfigure the ssl directory
config. The error you get when trying to add the cn=RSA,cn=encryption,cn=config object
when the corresponding cert doesn't exist is "No such object", which implies
that cn=encryption,cn=config does not exist, which obviously it does.
Regards,
Graham
--
4:52 a.m.
I don't see the problem. Simply install DS without SSL and then:
1. use ldapmodify to import SSL settings (see the example below)
2. use pk12util tiu import certificate
3. use certutil to change trusts
All the things above could be done completely unattended...
Regards,
Vlad.
An example of LDIF file for configuring SSL
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on
-
replace: nsSSLClientAuth
nsSSLClientAuth: allowed
-
add: nsSSL3Ciphers
nsSSL3Ciphers: -rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+r
sa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha
,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_
56_sha,+tls_rsa_export1024_with_des_cbc_sha,+tls_rsa_aes_128_sha,+tls_rsa_aes
_256_sha
dn: cn=config
changetype: modify
add: nsslapd-security
nsslapd-security: on
-
replace: nsslapd-ssl-check-hostname
nsslapd-ssl-check-hostname: on
-
replace: nsslapd-secureport
nsslapd-secureport: $sslport
dn: cn=RSA,cn=encryption,cn=config
changetype: add
objectclass: top
objectclass: nsEncryptionModule
cn: RSA
nsSSLToken: internal (software)
nsSSLActivation: on
nsSSLPersonalitySSL: $certname
On 24/12/12 10:03, Graham Leggett wrote:
On 24 Dec 2012, at 09:18, Vlad <vovan(a)vovan.nl> wrote:
> Obviously the setup-ds.pl script can be modified to import certificate, but I'd
prefer installing server without SSL firstly and then use additional script to install
certificate(s) and enable SSL for server/admin unattended.
> Let me know if you need any examples.
This is a real pity.
The ConfigFile option is a clean and simple way to load ldif without messing about with
trying to script an ldapmodify, which in turn means trying to script a secure way to pass
the credentials.
It didn't make any sense that you could preconfigure the directory but not
preconfigure the certs, which has to be done before you can preconfigure the ssl directory
config. The error you get when trying to add the cn=RSA,cn=encryption,cn=config object
when the corresponding cert doesn't exist is "No such object", which implies
that cn=encryption,cn=config does not exist, which obviously it does.
Regards,
Graham
--
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
5:32 a.m.
On 24 Dec 2012, at 12:52 PM, Vlad <vovan(a)vovan.nl> wrote:
I don't see the problem. Simply install DS without SSL and then:
1. use ldapmodify to import SSL settings (see the example below)
2. use pk12util tiu import certificate
3. use certutil to change trusts
All the things above could be done completely unattended…
The problem is that the above shouldn't be necessary, because setup-ds.pl has the INF
file and ConfigFile options to provide the config in one go. This ConfigFile mechanism is
rendered useless, because there is no ability to configure the certificate database in
advance.
Regards,
Graham
--
9:47 p.m.
Hi Graham,
I too haven't done enabling SSL using setup-ds.pl, and I don't believe
setup-ds.pl was written to allow you to configure SSL as part of directory
server initial setup.
Of course you can modify setup-ds.pl per your need to configure SSL in one
shot but now you will be maintaining your own version of setup-ds.pl and
you have to keep in sync with the latest setup-ds.pl if you decide to
reinstall the LDAP with the latest version or for other reasons.
What I have been doing is similar to what Vlad suggested. I ran
setup-ds.plfirst and then run my own script to configure SSL and
replication. I
believe the Red Hat Directory Server Administration has instructions on how
to configure SSL via command-line.
Good luck!
- dc
On Mon, Dec 24, 2012 at 6:32 AM, Graham Leggett <minfrin(a)sharp.fm> wrote:
On 24 Dec 2012, at 12:52 PM, Vlad <vovan(a)vovan.nl> wrote:
> I don't see the problem. Simply install DS without SSL and then:
> 1. use ldapmodify to import SSL settings (see the example below)
> 2. use pk12util tiu import certificate
> 3. use certutil to change trusts
> All the things above could be done completely unattended…
The problem is that the above shouldn't be necessary, because setup-ds.plhas the INF
file and ConfigFile options to provide the config in one go.
This ConfigFile mechanism is rendered useless, because there is no ability
to configure the certificate database in advance.
Regards,
Graham
--
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
4152
days inactive
4154
days old
389-users@lists.fedoraproject.org
5 comments
3 participants
participants (3)
-
Chun Tat David Chu -
Graham Leggett -
Vlad