Fedora directory users - Dec 2007 - Re: problem with cert for ssl on RHAS5

> Date: Wed, 5 Dec 2007 15:37:53 +1300
> From: "Steven Jones" <Steven.Jones@vuw.ac.nz>
> Is there a way to search the list archives for topics?
> 
> Such as say,
> 
> "ldap_start_tls: Connect error (-11)
>         additional info: TLS: hostname does not match CN in peer
> certificate"
Since the above message comes from the OpenLDAP tools/library, you''d
have
better luck searching the OpenLDAP archives. www.openldap.org.
>> So what did I do wrong?
> ----
> probably should only use uri and not host in /etc/openldap/ldap.conf
> 
> yep, I can take that out....
> 
> And it''s clear that
> 
> ldap.vuw.ac.nz != cn=vuwunicvfdsm001.vuw.ac.nz (certificate)
> 
> Sorry I fail to see it as that clear (until now you explain it anyway!)
> 
> ....Working through the FDS/RDS documentation I seem to have failed to
> notice that it clearly (if at all???) explains what cn= should equal or
> indeed the setting in the ldap.conf needs to be the same....in terms of
> DNS they do equal as ldap is a CNAME of vuwunicvfdsm001....
This is explained in the OpenLDAP Admin Guide.
http://www.openldap.org/doc/admin24/tls.html#TLS%20Certificates
> 
> The advantage of using a CNAME is I can upgrade the system and to a
> simple CNAME change to replace the servers....
RFC2830 explicitly forbid clients from talking to a DNS server to verify the 
server name. Therefore most clients would be unable to dereference a CNAME. 
RFC4513 relaxes this constraint, and permits a client to use secure hostname 
services (e.g. DNSSEC), but in practice there''s no standard APIs to
select or
control these services, so the RFC2830 constraint is still in force - the 
hostname provided by the client must be used directly, without any other 
mapping, in comparisons to the names in the server certificate. But as already 
mentioned, you can include arbitrarily many subjectAltName extensions in the 
certificate to provide aliases and domain wildcards.
> Date: Tue, 04 Dec 2007 20:42:25 -0700
> From: Craig White <craigwhite@azapple.com>
> Lastly, you probably can add to both /etc/ldap.conf
> and /etc/openldap/ldap.conf
> 
> ssl start_tls
> 
> and it should automatically use tls...
No. That''s only legal for PADL''s pam_ldap and nss_ldap. There
is no equivalent
option for OpenLDAP''s libldap because that is not a library-level
issue, it''s
application level. /etc/openldap/ldap.conf is only for library default 
settings. There is no configuration file for client tool defaults.
> Date: Tue, 04 Dec 2007 20:05:25 -0800
> From: Satish Chetty <satish@suburbia.org.au>
>> I am trying to do a ldapsearch with ssl enabled....and I get this
error,
> 
> 	You can also try ldapsearch that comes with FDS (without -x option)
> 
> 	Also, if you want only encryption and not host identification, use
> ''tls_checkpeer no'' in your ldap.conf
That is also only valid for pam_ldap and nss_ldap. In OpenLDAP that''s
what the
"TLS_REQCERT never" option is for, but in the versions of OpenLDAP
that RedHat
ships, that are typically 3-5 years obsolete, that option doesn''t quite
work
as expected. I.e., the hostname check is performed regardless of the setting 
of TLS_REQCERT.

-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/

Hi

Does anyone know of document(s) that have readable information on how to
make a slave off a single master?

Something with pictures of the gui interface (where appropriate) with
step by step instructions.....looking for something that is an
improvement over the rds manual....

Things like section 2a "......and create an entry" don''t help
much....the q is, what sort of "entry".....what does it look
like....(and this is just the first page)....

regards

Steven Jones
Senior  Linux/Unix/San/Vmware System Administrator
APG -Technology Integration Team
Victoria University of Wellington

Steven Jones wrote:
> Hi
>
> Does anyone know of document(s) that have readable information on how to
> make a slave off a single master?
>
> Something with pictures of the gui interface (where appropriate) with
> step by step instructions.....looking for something that is an
> improvement over the rds manual....
>   
Not afaik - the 8.0 documentation is a little better - 
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Configuring_Single_Master_Replication-Configuring_the_Read_Only_Replica_on_the_Consumer_Server.html
> Things like section 2a "......and create an entry" don''t
help
> much....the q is, what sort of "entry".....what does it look
> like....(and this is just the first page)....
>   
 . . . so since there is not better documentation, afaik, your best bet 
will be to ask questions here.
1) You can create a New->User or a New->Other... and select person from 
the list of objectclasses.  The latter is simpler because the former 
will force you to use a DN of uid=rmanager or something like that unless 
you do the magic to change the RDN.
> regards
>
> Steven Jones
> Senior  Linux/Unix/San/Vmware System Administrator
> APG -Technology Integration Team
> Victoria University of Wellington
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Hi,

Yes 8.0 is better, google is my friend....I created the right object
manually by editing the dse.ldif....at least I think I have...then I
went back in and looked at the filled in fields of the gui for the new
user/object (and set a password then so its hashed)....still working
through the process and making notes....

Thanks

Steven Jones
Senior  Linux/Unix/San/Vmware System Administrator
APG -Technology Integration Team
Victoria University of Wellington
Phone: +64 4 463 6272

-----Original Message-----
From: fedora-directory-users-bounces@redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Rich
Megginson
Sent: Tuesday, 18 December 2007 8:40 a.m.
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Looking for document on setting up
aslave LDAP server off a single master.

Steven Jones wrote:
> Hi
>
> Does anyone know of document(s) that have readable information on how
to
> make a slave off a single master?
>
> Something with pictures of the gui interface (where appropriate) with
> step by step instructions.....looking for something that is an
> improvement over the rds manual....
>   
Not afaik - the 8.0 documentation is a little better - 
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Configuring_Single_
Master_Replication-Configuring_the_Read_Only_Replica_on_the_Consumer_Ser
ver.html
> Things like section 2a "......and create an entry" don''t
help
> much....the q is, what sort of "entry".....what does it look
> like....(and this is just the first page)....
>   
 . . . so since there is not better documentation, afaik, your best bet 
will be to ask questions here.
1) You can create a New->User or a New->Other... and select person from 
the list of objectclasses.  The latter is simpler because the former 
will force you to use a DN of uid=rmanager or something like that unless

you do the magic to change the RDN.
> regards
>
> Steven Jones
> Senior  Linux/Unix/San/Vmware System Administrator
> APG -Technology Integration Team
> Victoria University of Wellington
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

On 18/12/2007, Steven Jones <Steven.Jones@vuw.ac.nz> wrote:

<snip>
> From: fedora-directory-users-bounces@redhat.com
> [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Rich
> Megginson
> Sent: Tuesday, 18 December 2007 8:40 a.m.
> To: General discussion list for the Fedora Directory server project.
> Subject: Re: [Fedora-directory-users] Looking for document on setting up
> a slave LDAP server off a single master.
>
> Steven Jones wrote:
> > Hi
> >
> > Does anyone know of document(s) that have readable information on how
> to
> > make a slave off a single master?
> >
> > Something with pictures of the gui interface (where appropriate) with
> > step by step instructions.....looking for something that is an
> > improvement over the rds manual....
> >
<snip>

Hi Steven,

Are you adding a Red Hat box as the slave to the master ? If so you
need to do the following:

(1) Copy your certificates into; /etc/openldap/cacerts/

(2) Run authconfig: check the "Cache Information" and "Use
LDAP" boxes
under User Information and "Use LDAP Authentication" and "Local
authorization is sufficient" under Authentication, then hit Next:

(3) On the LDAP Settings screen, check "Use TLS" and enter the LDAP
server here, (blah.blah.xyz.com) and Base DN:
(dc=corp,dc=xyzcompany,dc=com)

Dan


-- 
_____________________________________________________________
" They that can give up liberty to obtain a little temporary safety
deserve neither liberty nor safety. Benjamin Franklin 1706 - 1790

Hi,

I have just restarted the fds server on its new production subnet and
now the fds console (admin server) cannot be connected to....

What do I have to do to get it to run on the new IP?
>From the error logs I have,
========[15/Jan/2008:13:25:35 +1300] - Fedora-Directory/1.0.4 B2006.312.435
starting up
[15/Jan/2008:13:25:35 +1300] - attrcrypt_unwrap_key: failed to unwrap
key for cipher AES
[15/Jan/2008:13:25:35 +1300] - Failed to retrieve key for cipher AES in
attrcrypt_cipher_init
[15/Jan/2008:13:25:35 +1300] - Failed to initialize cipher AES in
attrcrypt_init
[15/Jan/2008:13:25:35 +1300] - attrcrypt_unwrap_key: failed to unwrap
key for cipher AES
[15/Jan/2008:13:25:35 +1300] - Failed to retrieve key for cipher AES in
attrcrypt_cipher_init
[15/Jan/2008:13:25:35 +1300] - Failed to initialize cipher AES in
attrcrypt_init
[15/Jan/2008:13:25:35 +1300] - slapd started.  Listening on All
Interfaces port 389 for LDAP requests
[15/Jan/2008:13:25:35 +1300] - Listening on All Interfaces port 636 for
LDAPS requests
=======
regards

Steven Jones

Scratch that....iptables blocking

:/

Doh

regards

Steven Jones

-----Original Message-----
From: fedora-directory-users-bounces@redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Steven
Jones
Sent: Tuesday, 15 January 2008 1:35 p.m.
To: General discussion list for the Fedora Directory server project.
Subject: [Fedora-directory-users] Restarting fds on a new IP address

Hi,

I have just restarted the fds server on its new production subnet and
now the fds console (admin server) cannot be connected to....

What do I have to do to get it to run on the new IP?
>From the error logs I have,
========[15/Jan/2008:13:25:35 +1300] - Fedora-Directory/1.0.4 B2006.312.435
starting up
[15/Jan/2008:13:25:35 +1300] - attrcrypt_unwrap_key: failed to unwrap
key for cipher AES
[15/Jan/2008:13:25:35 +1300] - Failed to retrieve key for cipher AES in
attrcrypt_cipher_init
[15/Jan/2008:13:25:35 +1300] - Failed to initialize cipher AES in
attrcrypt_init
[15/Jan/2008:13:25:35 +1300] - attrcrypt_unwrap_key: failed to unwrap
key for cipher AES
[15/Jan/2008:13:25:35 +1300] - Failed to retrieve key for cipher AES in
attrcrypt_cipher_init
[15/Jan/2008:13:25:35 +1300] - Failed to initialize cipher AES in
attrcrypt_init
[15/Jan/2008:13:25:35 +1300] - slapd started.  Listening on All
Interfaces port 389 for LDAP requests
[15/Jan/2008:13:25:35 +1300] - Listening on All Interfaces port 636 for
LDAPS requests
=======
regards

Steven Jones

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Trying to set a replication agreement....

"   4. On the next screen, fill in the consumer hostname and port.
Unless you have more than one instance of Directory Server configured,
by default, there are no consumers available in the drop-down menu. 

Also, select the bind method for replication. If you have enabled SSL on
your servers, you may select "Using encrypted SSL connection" radio
button and use SSL client authentication. Otherwise, fill in the
supplier bind DN and password."

What is the supplier bind DN? (and the syntax)

regards

Steven Jones

Steven Jones wrote:
> Trying to set a replication agreement....
>
> "   4. On the next screen, fill in the consumer hostname and port.
> Unless you have more than one instance of Directory Server configured,
> by default, there are no consumers available in the drop-down menu. 
>
> Also, select the bind method for replication. If you have enabled SSL on
> your servers, you may select "Using encrypted SSL connection"
radio
> button and use SSL client authentication. Otherwise, fill in the
> supplier bind DN and password."
>
> What is the supplier bind DN? (and the syntax)
>   
The syntax is standard DN syntax e.g. cn=Replication Manager, cn=config

See - 
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Replication_Overview-Replication_Identity.html
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Configuring_Single_Master_Replication-Configuring_the_Read_Only_Replica_on_the_Consumer_Server.html
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Creating_the_Supplier_Bind_DN_Entry.html
> regards
>
> Steven Jones
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

> What is the supplier bind DN? (and the syntax)
>   
The syntax is standard DN syntax e.g. cn=Replication Manager, cn=config

See - 
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Replication_Overvie
w-Replication_Identity.html


Neat all I could find was 7.1, this 8.0 documentation is a huge
improvement....

regards

Steven Jones