Hi all,
I am currently trying to script the setup of a directory using the ConfigFile entry within an INF file, and so far I've hit a snag.
In order to enable SSL on the directory, first I must use certutil to import the certificate to be used, otherwise the attempt to add the cn=RSA,cn=encryption,cn=config entry fails saying "No such object". If I set up the directory, then manually add the certificates, then manually enable SSL by adding the cn=RSA,cn=encryption,cn=config entry (and various other SSL related configs), it seems to work fine.
Is there some way of getting setup-ds.pl to import a given certificate (p12 file, whatever) when the server is set up, in addition to creating the initial certificate database within /etc/dirsrv/slapd-INSTANCE/?
Regards, Graham --
Obviously the setup-ds.pl script can be modified to import certificate, but I'd prefer installing server without SSL firstly and then use additional script to install certificate(s) and enable SSL for server/admin unattended. Let me know if you need any examples.
Regards, Vlad.
On 23/12/12 22:43, Graham Leggett wrote:
Hi all,
I am currently trying to script the setup of a directory using the ConfigFile entry within an INF file, and so far I've hit a snag.
In order to enable SSL on the directory, first I must use certutil to import the certificate to be used, otherwise the attempt to add the cn=RSA,cn=encryption,cn=config entry fails saying "No such object". If I set up the directory, then manually add the certificates, then manually enable SSL by adding the cn=RSA,cn=encryption,cn=config entry (and various other SSL related configs), it seems to work fine.
Is there some way of getting setup-ds.pl to import a given certificate (p12 file, whatever) when the server is set up, in addition to creating the initial certificate database within /etc/dirsrv/slapd-INSTANCE/?
Regards, Graham --
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
On 24 Dec 2012, at 09:18, Vlad vovan@vovan.nl wrote:
Obviously the setup-ds.pl script can be modified to import certificate, but I'd prefer installing server without SSL firstly and then use additional script to install certificate(s) and enable SSL for server/admin unattended. Let me know if you need any examples.
This is a real pity.
The ConfigFile option is a clean and simple way to load ldif without messing about with trying to script an ldapmodify, which in turn means trying to script a secure way to pass the credentials.
It didn't make any sense that you could preconfigure the directory but not preconfigure the certs, which has to be done before you can preconfigure the ssl directory config. The error you get when trying to add the cn=RSA,cn=encryption,cn=config object when the corresponding cert doesn't exist is "No such object", which implies that cn=encryption,cn=config does not exist, which obviously it does.
Regards, Graham --
I don't see the problem. Simply install DS without SSL and then: 1. use ldapmodify to import SSL settings (see the example below) 2. use pk12util tiu import certificate 3. use certutil to change trusts All the things above could be done completely unattended...
Regards, Vlad.
An example of LDIF file for configuring SSL
dn: cn=encryption,cn=config changetype: modify replace: nsSSL3 nsSSL3: on - replace: nsSSLClientAuth nsSSLClientAuth: allowed - add: nsSSL3Ciphers nsSSL3Ciphers: -rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+r sa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha ,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_ 56_sha,+tls_rsa_export1024_with_des_cbc_sha,+tls_rsa_aes_128_sha,+tls_rsa_aes _256_sha
dn: cn=config changetype: modify add: nsslapd-security nsslapd-security: on - replace: nsslapd-ssl-check-hostname nsslapd-ssl-check-hostname: on - replace: nsslapd-secureport nsslapd-secureport: $sslport
dn: cn=RSA,cn=encryption,cn=config changetype: add objectclass: top objectclass: nsEncryptionModule cn: RSA nsSSLToken: internal (software) nsSSLActivation: on nsSSLPersonalitySSL: $certname
On 24/12/12 10:03, Graham Leggett wrote:
On 24 Dec 2012, at 09:18, Vlad vovan@vovan.nl wrote:
Obviously the setup-ds.pl script can be modified to import certificate, but I'd prefer installing server without SSL firstly and then use additional script to install certificate(s) and enable SSL for server/admin unattended. Let me know if you need any examples.
This is a real pity.
The ConfigFile option is a clean and simple way to load ldif without messing about with trying to script an ldapmodify, which in turn means trying to script a secure way to pass the credentials.
It didn't make any sense that you could preconfigure the directory but not preconfigure the certs, which has to be done before you can preconfigure the ssl directory config. The error you get when trying to add the cn=RSA,cn=encryption,cn=config object when the corresponding cert doesn't exist is "No such object", which implies that cn=encryption,cn=config does not exist, which obviously it does.
Regards, Graham --
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
On 24 Dec 2012, at 12:52 PM, Vlad vovan@vovan.nl wrote:
I don't see the problem. Simply install DS without SSL and then:
- use ldapmodify to import SSL settings (see the example below)
- use pk12util tiu import certificate
- use certutil to change trusts
All the things above could be done completely unattended…
The problem is that the above shouldn't be necessary, because setup-ds.pl has the INF file and ConfigFile options to provide the config in one go. This ConfigFile mechanism is rendered useless, because there is no ability to configure the certificate database in advance.
Regards, Graham --
Hi Graham,
I too haven't done enabling SSL using setup-ds.pl, and I don't believe setup-ds.pl was written to allow you to configure SSL as part of directory server initial setup.
Of course you can modify setup-ds.pl per your need to configure SSL in one shot but now you will be maintaining your own version of setup-ds.pl and you have to keep in sync with the latest setup-ds.pl if you decide to reinstall the LDAP with the latest version or for other reasons.
What I have been doing is similar to what Vlad suggested. I ran setup-ds.plfirst and then run my own script to configure SSL and replication. I believe the Red Hat Directory Server Administration has instructions on how to configure SSL via command-line.
Good luck!
- dc
On Mon, Dec 24, 2012 at 6:32 AM, Graham Leggett minfrin@sharp.fm wrote:
On 24 Dec 2012, at 12:52 PM, Vlad vovan@vovan.nl wrote:
I don't see the problem. Simply install DS without SSL and then:
- use ldapmodify to import SSL settings (see the example below)
- use pk12util tiu import certificate
- use certutil to change trusts
All the things above could be done completely unattended…
The problem is that the above shouldn't be necessary, because setup-ds.plhas the INF file and ConfigFile options to provide the config in one go. This ConfigFile mechanism is rendered useless, because there is no ability to configure the certificate database in advance.
Regards, Graham --
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
389-users@lists.fedoraproject.org