Fedora directory users - Jan 2006 - Re: password history question

Hi Jamie,

thanks for the info. I''m trying to setup SSL now. I''m
following the SSL
howto posted on the wiki. It seems like it''s not totally accurate, I
get a
failure when importing the ldif''s mentioned in the document. Seems like
I
cannot add the attributes

nsslapd-security and nsslapd-ssl-check-hostname

I think SSL is setup now but I cannot seem to get it working with ldapsearch
-zz, I keep getting
ldap_start_tls: Connect error (-11)
        additional info: Start TLS request accepted.Server willing to
negotiate SSL.
I guess I need to point my ldap.conf to the ca certificate for trust, which
file is holding the ca certificate? I can however login on port 636 as
Directory Manager when using ldapbrowser (
http://www.mcs.anl.gov/~gawor/ldap/
<http://www.mcs.anl.gov/%7Egawor/ldap/>)

Another question I have wrt password history, it seems like the history
entries are all using crypt. I thought they would be using the same
encryption as setup for the userpassword (e.g. md5) or is there a particular
reason for using crypt?

Thanks again,
Jo

Jo,

make sure you are using ldapsearch -x -ZZ (if doing anon binds).  Cap Zs.

Also, I couldn''t just copy/paste/import the /tmp/ssl_enable.ldif from
the wiki.  I had to make
sure the line nsSSL3Ciphers: has no breaks in it, (basically shift J in vi)
otherwise the import
fails.

That and make sure you''ve ssl turned on /etc/ldap.conf on the
client''s side.



--- Jo De Troy <jo.de.troy@gmail.com> wrote:
> Hi Jamie,
> 
> thanks for the info. I''m trying to setup SSL now. I''m
following the SSL
> howto posted on the wiki. It seems like it''s not totally accurate,
I get a
> failure when importing the ldif''s mentioned in the document. Seems
like I
> cannot add the attributes
> 
> nsslapd-security and nsslapd-ssl-check-hostname
> 
> I think SSL is setup now but I cannot seem to get it working with
ldapsearch
> -zz, I keep getting
> ldap_start_tls: Connect error (-11)
>         additional info: Start TLS request accepted.Server willing to
> negotiate SSL.
> I guess I need to point my ldap.conf to the ca certificate for trust, which
> file is holding the ca certificate? I can however login on port 636 as
> Directory Manager when using ldapbrowser (
> http://www.mcs.anl.gov/~gawor/ldap/
<http://www.mcs.anl.gov/%7Egawor/ldap/>)
> 
> Another question I have wrt password history, it seems like the history
> entries are all using crypt. I thought they would be using the same
> encryption as setup for the userpassword (e.g. md5) or is there a
particular
> reason for using crypt?
> 
> Thanks again,
> Jo
> > --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> 


		
__________________________________________ 
Yahoo! DSL – Something to write home about. 
Just $16.99/mo. or less. 
dsl.yahoo.com

On Mon, 2006-01-09 at 06:11 -0800, Susan wrote:
> Also, I couldn''t just copy/paste/import the /tmp/ssl_enable.ldif
from the wiki.  I had to make
> sure the line nsSSL3Ciphers: has no breaks in it, (basically shift J in vi)
otherwise the import
> fails.
	FWIW, if you don''t set nsSSL3Ciphers, it defaults to the same ciphers
which are listed in ssl_enable.ldif ... see: 

  ldap/servers/slapd/ssl.c:_conf_setciphers()

Cheers,
Mark.