Jeff Moody wrote: > I'm trying to set up two 389 Directory Services servers in a replication > scenario. I can do this quite easily without any SSL/TLS setup. > > In an effort to improve the security of our environment, I would like to get > TLS configured so that this replication (and all LDAP authentication > attempts) are encrypted. > > Using the scripts provided at > http://directory.fedoraproject.org/wiki/Howto:SSL I can get one server using > SSL; however when I try and establish the cross-server communication, the > SSL/TLS keys appear to fall apart. > My understanding from the logs on the systems is that the reason why the two > servers (FDSMEM1 and FDSMEM2) do not have a common CA and so their > server-certs do not trust each other. > > So, I have set up TinyCA and created a CA cert from a third server. I have > generated manual cert requests on the two LDAP servers (after registering the > CA cert) and generated the certificates. Replication appears to be working > through TLS. > > Now, the problem I am having. > > When I run the 'certutil -L -d . -n "CA certificate" -a > cacert.asc' command > I get a cacert.asc. When I deploy this cacert.asc to my LDAP clients as the > key for TLS to start, though, it appears that something isn't handshaking > well and I am never able to query the LDAP server from a client. > > Has anyone gotten a 389DS system (or pair of systems) fully working with > certs managed & created by TinyCA2? If so, what are the gotchas that I must > be missing to get this working? Would anyone be willing to help me write a > HOWTO on getting this working so that it would be outlined more effectively > for newer users? > I'm not sure what's going on with your setup. I do know that, in order for an SSL client to talk to an SSL server, the SSL client needs the CA cert of the CA that issued the SSL server's cert. There is some information about TinyCA2 here - http://directory.fedoraproject.org/wiki/Howto:WindowsSync#With_TinyCA2 - don't know how accurate it is, or how applicable it is to your situation. > Thanks. > > -- > Jeff Moody > Senior Systems Engineer > Electronic Vaulting Services > 5050 Poplar Ave., Suite 1600 > Memphis, TN 38157 > (901) 259-2387 - 24x7 Helpdesk > (901) 213-5146 - Office > (901) 497-1444 - Mobile > > > > -- > 389 users mailing list > 389-us...@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users >
-- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
