Hi Susan, yes it is. Below you can see my /etc/openldap/ldap.conf # HOST ldapserver BASE dc=example,dc=com TLS_REQCERT allow TLS_CACERT /etc/openldap/cacerts/cacert The openssl command Mark pointed to works fine. From that output I grabbed the CAcert and stored it the file I''m referencing in the /etc/openldap/ldap.conf I''m wondering if the certificate I created is correct. Should the cn in the certificate have the hostname as value? I guess it should or not? Thanks again, Jo
Mark McLoughlin
2006-Jan-10 08:20 UTC
Re: [Fedora-directory-users] password history question
On Mon, 2006-01-09 at 20:56 +0100, Jo De Troy wrote:> Hi Susan, > > yes it is. Below you can see my /etc/openldap/ldap.conf > # > HOST ldapserver > BASE dc=example,dc=com > TLS_REQCERT allow > TLS_CACERT /etc/openldap/cacerts/cacert > > The openssl command Mark pointed to works fine. From that output I > grabbed the CAcert and stored it the file I''m referencing in > the /etc/openldap/ldap.confWhat''s "ldapsearch -d 10" saying?> I''m wondering if the certificate I created is correct. Should the cn > in the certificate have the hostname as value? I guess it should or > not?In order for ldapsearch to verify the certificate, you need to contact the ldap server with the same hostname which is specified in the certificate. You can do that by making the subject of the cert "ldapserver.foo.com" or (I think, but haven''t tried) by setting the subjectAltName extension to something like: subjectAltName = DNS:ldapserver.foo.com,IP:135.208.5.2 In which case you could contact it with either the subject name or the alternative subject names. Cheers, Mark.
Hi. Quick question, where in the tree do I stick posixGroups? For now, I''ll be authenticating linux machines only, so every uid=gid. Should I create a OU called Groups or something and put all the groups in there? Or have a uid under gid or what? How do you guys do it? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Mike Jackson
2006-Jan-10 20:32 UTC
Re: [Fedora-directory-users] posixGroup location best practices
Susan wrote:> Hi. Quick question, where in the tree do I stick posixGroups? > > For now, I''ll be authenticating linux machines only, so every uid=gid. Should I create a OU > called Groups or something and put all the groups in there? Or have a uid under gid or what? How > do you guys do it?Sure, just create some OU entry and put the group entries under that. That''s the usual way. The reason for grouping them together is in case you want to restrict your search base, for efficiency and performance - not that it matters much in small setups. BR, Mike
--- Mark McLoughlin <markmc@redhat.com> wrote:> On Mon, 2006-01-09 at 20:56 +0100, Jo De Troy wrote: > > Hi Susan, > > > > yes it is. Below you can see my /etc/openldap/ldap.conf > > # > > HOST ldapserver > > BASE dc=example,dc=com > > TLS_REQCERT allow > > TLS_CACERT /etc/openldap/cacerts/cacert > > > > The openssl command Mark pointed to works fine. From that output I > > grabbed the CAcert and stored it the file I''m referencing in > > the /etc/openldap/ldap.confyou only need the cert if you are doing client-based certificate authentication. Is that what you want? If all you need is server-based, then there''s no need to put certs on the clients. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com