<lambam80@hotmail.com>
2009-May-12 11:56 UTC
[389-users] PAM-LDAP LDAPS (Linux Login) with PAM-LDAP using a client certificate
Hello everybody and, firstly, thanks for your continued support.
I hope I''ve used the correct expression/jargon, ie:PAM-LDAP ?
PAM-LDAP works with LDAPS and binding with cn=Directory Manager/password
hardcoded in /etc/ldap.conf - great stuff.
This was configured using the GUI
''/usr/sbin/system-config-authentication'' - also great stuff !
Symbolic Link pointing to the CA certificate: Q1. I''ve searched the web
but cannot find what purpose the symbolic link serves.
----------------------------------------
# ls -toalr /etc/openldap/cacerts
-rw-r--r-- 1 root 1464 2009-03-10 12:21 authconfig_downloaded.pem
lrwxrwxrwx 1 root 25 2009-03-10 12:21 123a856c.0 ->
authconfig_downloaded.pem
Client Certificate etc.
--------------------------
I''m now experimenting with client certificates and have found the
following link:
http://lists.fini.net/pipermail/ldap-interop/2005-April/000421.html
and see the following example lines for the file /etc/ldap.conf:
tls_cert /usr/share/ssl/certs/ldap.pem ($FN.pem in my case)
tls_key /usr/share/ssl/certs/ldap.key.pem ($FN.key for me)
Q2. ldap.key.pem: Is this file simply the $FN.key file created by the following
command ?
Will I have trouble if I specify ''-passout'' ? I assume it
protects the file $FN.key.
How will PAM-LDAP open the keystore if I have used a password ?
openssl req -newkey rsa:1024 -keyout ${FN}.key -out ${FN}.csr -passout
pass:<password> 0<< EOF >/dev/null 2>&1
<SNIP>
Q3. ldap.pem: Is this file simply the $FN.pem file created by the following
command ?
openssl ca -in ${FN}.csr -out ${FN}.pem -days 7300 -keyfile
$DIR/demoCA/private/cakey.pem \
-cert $DIR/demoCA/cacert.pem \
-passin pass:<CA PASSWORD> << EOF2 >/dev/null 2>&1
<SNIP>
Thanks again, cdlt,
-----------
_________________________________________________________________
Create a cool, new character for your Windows Live™ Messenger.
http://go.microsoft.com/?linkid=9656621
<lambam80@hotmail.com>
2009-May-12 14:20 UTC
[389-users] Part 2: PAM-LDAP LDAPS (Linux Login) with PAM-LDAP using a client certificate
Further information for Q2: It looks like ''-passout
pass:<password>'' is mandatory, regardless:
+ openssl req -newkey rsa:1024 -keyout /root/tools/ssl/misc/output/X9999990.key
-out /root/tools/ssl/misc/output/X9999990.csr -days 7300
<SNIP>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
...
Like I say, any help would be greatly appreciated !
Cdlt,
---------
From: lambam80@hotmail.com
To: fedora-directory-users@redhat.com; lambam80@hotmail.com
Subject: PAM-LDAP LDAPS (Linux Login) with PAM-LDAP using a client certificate
Date: Tue, 12 May 2009 07:56:52 -0400
Hello everybody and, firstly, thanks for your continued support.
I hope I''ve used the correct expression/jargon, ie:PAM-LDAP ?
PAM-LDAP works with LDAPS and binding with cn=Directory Manager/password
hardcoded in /etc/ldap.conf - great stuff.
This was configured using the GUI
''/usr/sbin/system-config-authentication'' - also great stuff !
Symbolic Link pointing to the CA certificate: Q1. I''ve searched the web
but cannot find what purpose the symbolic link serves.
----------------------------------------
# ls -toalr /etc/openldap/cacerts
-rw-r--r-- 1 root 1464 2009-03-10 12:21 authconfig_downloaded.pem
lrwxrwxrwx 1 root 25 2009-03-10 12:21 123a856c.0 ->
authconfig_downloaded.pem
Client Certificate etc.
--------------------------
I''m now experimenting with client certificates and have found the
following link:
http://lists.fini.net/pipermail/ldap-interop/2005-April/000421.html
and see the following example lines for the file /etc/ldap.conf:
tls_cert /usr/share/ssl/certs/ldap.pem ($FN.pem in my case)
tls_key /usr/share/ssl/certs/ldap.key.pem ($FN.key for me)
Q2. ldap.key.pem: Is this file simply the $FN.key file created by the following
command ?
Will I have trouble if I specify ''-passout'' ? I assume it
protects the file $FN.key.
How will PAM-LDAP open the keystore if I have used a password ?
openssl req -newkey rsa:1024 -keyout ${FN}.key -out ${FN}.csr -passout
pass:<password> 0<< EOF >/dev/null 2>&1
<SNIP>
Q3. ldap.pem: Is this file simply the $FN.pem file created by the following
command ?
openssl ca -in ${FN}.csr -out ${FN}.pem -days 7300 -keyfile
$DIR/demoCA/private/cakey.pem \
-cert $DIR/demoCA/cacert.pem \
-passin pass:<CA PASSWORD> << EOF2 >/dev/null 2>&1
<SNIP>
Thanks again, cdlt,
-----------
Create a cool, new character for your Windows Live™ Messenger. Check it out
_________________________________________________________________
Windows Live helps you keep up with all your friends, in one place.
http://go.microsoft.com/?linkid=9660826
Rich Megginson
2009-May-12 15:31 UTC
Re: [389-users] PAM-LDAP LDAPS (Linux Login) with PAM-LDAP using a client certificate
lambam80@hotmail.com wrote:> Hello everybody and, firstly, thanks for your continued support. > > I hope I''ve used the correct expression/jargon, ie:PAM-LDAP ? > > PAM-LDAP works with LDAPS and binding with cn=Directory > Manager/password hardcoded in /etc/ldap.conf - great stuff.Except for the fact that you have the directory manager clear text password hardcoded in ldap.conf :-(> This was configured using the GUI > ''/usr/sbin/system-config-authentication'' - also great stuff ! > > Symbolic Link pointing to the CA certificate: Q1. I''ve searched the > web but cannot find what purpose the symbolic link serves. > ---------------------------------------- > > # ls -toalr /etc/openldap/cacerts > -rw-r--r-- 1 root 1464 2009-03-10 12:21 authconfig_downloaded.pem > lrwxrwxrwx 1 root 25 2009-03-10 12:21 123a856c.0 -> > authconfig_downloaded.pem > > > Client Certificate etc. > -------------------------- > I''m now experimenting with client certificates and have found the > following link: > > http://lists.fini.net/pipermail/ldap-interop/2005-April/000421.html > > and see the following example lines for the file /etc/ldap.conf: > tls_cert /usr/share/ssl/certs/ldap.pem ($FN.pem in my case) > tls_key /usr/share/ssl/certs/ldap.key.pem ($FN.key for me) > > Q2. ldap.key.pem: Is this file simply the $FN.key file created by the > following command ? > Will I have trouble if I specify ''-passout'' ? I assume it protects the > file $FN.key. > How will PAM-LDAP open the keystore if I have used a password ?It probably won''t, unless you either hardcode the clear text password, or simply have no key password.> > openssl req -newkey rsa:1024 -keyout ${FN}.key -out ${FN}.csr -passout > pass:<password> 0<< EOF >/dev/null 2>&1 > <SNIP> > > Q3. ldap.pem: Is this file simply the $FN.pem file created by the > following command ? > > openssl ca -in ${FN}.csr -out ${FN}.pem -days 7300 -keyfile > $DIR/demoCA/private/cakey.pem \ > -cert $DIR/demoCA/cacert.pem \ > -passin pass:<CA PASSWORD> << EOF2 >/dev/null 2>&1 > <SNIP> > > Thanks again, cdlt, > ----------- > > > > > > ------------------------------------------------------------------------ > Create a cool, new character for your Windows Live™ Messenger. Check > it out <http://go.microsoft.com/?linkid=9656621> > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
<lambam80@hotmail.com>
2009-May-13 09:39 UTC
RE: [389-users] PAM-LDAP LDAPS Where (in /etc/ldap.conf) to hardcode the keyfile-password (which name=value pair) ?
Rich, hello and, as ever, thanks for the helpful reply. One very quick question
and
a quick technote ''for the record''.
< You write, ''... It probably won''t, unless you either
hardcode the clear text password ...''
Q1: Hardcode where ? Is there an attribute in /etc/ldap.conf specifically for
the keyfile password ?
< You write, ''... or simply have no key password ...''
For the record, I reckon I need the ''-noDES'' option if I
don''t want a key file password:
openssl req -newkey rsa:1024 -keyout ${FN}.key -out ${FN}.csr -days 7300 -nodes
<<EOF
...
EOF
For reference: http://www.openssl.org/docs/apps/req.html#
I''ll let you all know if my PAM-LDAP Linux login works when using
client-certificates for binding to LDAP.
Thanks again,
-----
> Date: Tue, 12 May 2009 09:31:16 -0600
> From: rmeggins@redhat.com
> To: fedora-directory-users@redhat.com
> CC: lambam80@hotmail.com
> Subject: Re: [389-users] PAM-LDAP LDAPS (Linux Login) with PAM-LDAP using a
client certificate
>
> lambam80@hotmail.com wrote:
> > Hello everybody and, firstly, thanks for your continued support.
> >
> > I hope I''ve used the correct expression/jargon, ie:PAM-LDAP ?
> >
> > PAM-LDAP works with LDAPS and binding with cn=Directory
> > Manager/password hardcoded in /etc/ldap.conf - great stuff.
> Except for the fact that you have the directory manager clear text
> password hardcoded in ldap.conf :-(
> > This was configured using the GUI
> > ''/usr/sbin/system-config-authentication'' - also
great stuff !
> >
> > Symbolic Link pointing to the CA certificate: Q1. I''ve
searched the
> > web but cannot find what purpose the symbolic link serves.
> > ----------------------------------------
> >
> > # ls -toalr /etc/openldap/cacerts
> > -rw-r--r-- 1 root 1464 2009-03-10 12:21 authconfig_downloaded.pem
> > lrwxrwxrwx 1 root 25 2009-03-10 12:21 123a856c.0 ->
> > authconfig_downloaded.pem
> >
> >
> > Client Certificate etc.
> > --------------------------
> > I''m now experimenting with client certificates and have found
the
> > following link:
> >
> > http://lists.fini.net/pipermail/ldap-interop/2005-April/000421.html
> >
> > and see the following example lines for the file /etc/ldap.conf:
> > tls_cert /usr/share/ssl/certs/ldap.pem ($FN.pem in my case)
> > tls_key /usr/share/ssl/certs/ldap.key.pem ($FN.key for me)
> >
> > Q2. ldap.key.pem: Is this file simply the $FN.key file created by the
> > following command ?
> > Will I have trouble if I specify ''-passout'' ? I
assume it protects the
> > file $FN.key.
> > How will PAM-LDAP open the keystore if I have used a password ?
> It probably won''t, unless you either hardcode the clear text
password,
> or simply have no key password.
> >
> > openssl req -newkey rsa:1024 -keyout ${FN}.key -out ${FN}.csr -passout
> > pass:<password> 0<< EOF >/dev/null 2>&1
> > <SNIP>
> >
> > Q3. ldap.pem: Is this file simply the $FN.pem file created by the
> > following command ?
> >
> > openssl ca -in ${FN}.csr -out ${FN}.pem -days 7300 -keyfile
> > $DIR/demoCA/private/cakey.pem \
> > -cert $DIR/demoCA/cacert.pem \
> > -passin pass:<CA PASSWORD> << EOF2 >/dev/null
2>&1
> > <SNIP>
> >
> > Thanks again, cdlt,
> > -----------
> >
> >
> >
> >
> >
> >
------------------------------------------------------------------------
> > Create a cool, new character for your Windows Live™ Messenger. Check
> > it out <http://go.microsoft.com/?linkid=9656621>
> >
------------------------------------------------------------------------
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
>
>
_________________________________________________________________
Internet explorer 8 lets you browse the web faster.
http://go.microsoft.com/?linkid=9655582
Rich Megginson
2009-May-13 15:31 UTC
Re: [389-users] PAM-LDAP LDAPS Where (in /etc/ldap.conf) to hardcode the keyfile-password (which name=value pair) ?
lambam80@hotmail.com wrote:> Rich, hello and, as ever, thanks for the helpful reply. One very quick > question and > a quick technote ''for the record''. > > < You write, ''... It probably won''t, unless you either hardcode the > clear text password ...'' > > Q1: Hardcode where ? Is there an attribute in /etc/ldap.conf > specifically for the keyfile password ?I have no idea - all I know is that if you need a password to unlock the private key, you need to store it somewhere.> > < You write, ''... or simply have no key password ...'' > > For the record, I reckon I need the ''-noDES'' option if I don''t want a > key file password: > > openssl req -newkey rsa:1024 -keyout ${FN}.key -out ${FN}.csr -days > 7300 -nodes <<EOF > ... > EOF > > For reference: http://www.openssl.org/docs/apps/req.html# > > I''ll let you all know if my PAM-LDAP Linux login works when using > client-certificates for binding to LDAP.Ok.> > Thanks again, > ----- > > > > Date: Tue, 12 May 2009 09:31:16 -0600 > > From: rmeggins@redhat.com > > To: fedora-directory-users@redhat.com > > CC: lambam80@hotmail.com > > Subject: Re: [389-users] PAM-LDAP LDAPS (Linux Login) with PAM-LDAP > using a client certificate > > > > lambam80@hotmail.com wrote: > > > Hello everybody and, firstly, thanks for your continued support. > > > > > > I hope I''ve used the correct expression/jargon, ie:PAM-LDAP ? > > > > > > PAM-LDAP works with LDAPS and binding with cn=Directory > > > Manager/password hardcoded in /etc/ldap.conf - great stuff. > > Except for the fact that you have the directory manager clear text > > password hardcoded in ldap.conf :-( > > > This was configured using the GUI > > > ''/usr/sbin/system-config-authentication'' - also great stuff ! > > > > > > Symbolic Link pointing to the CA certificate: Q1. I''ve searched the > > > web but cannot find what purpose the symbolic link serves. > > > ---------------------------------------- > > > > > > # ls -toalr /etc/openldap/cacerts > > > -rw-r--r-- 1 root 1464 2009-03-10 12:21 authconfig_downloaded.pem > > > lrwxrwxrwx 1 root 25 2009-03-10 12:21 123a856c.0 -> > > > authconfig_downloaded.pem > > > > > > > > > Client Certificate etc. > > > -------------------------- > > > I''m now experimenting with client certificates and have found the > > > following link: > > > > > > http://lists.fini.net/pipermail/ldap-interop/2005-April/000421.html > > > > > > and see the following example lines for the file /etc/ldap.conf: > > > tls_cert /usr/share/ssl/certs/ldap.pem ($FN.pem in my case) > > > tls_key /usr/share/ssl/certs/ldap.key.pem ($FN.key for me) > > > > > > Q2. ldap.key.pem: Is this file simply the $FN.key file created by the > > > following command ? > > > Will I have trouble if I specify ''-passout'' ? I assume it protects > the > > > file $FN.key. > > > How will PAM-LDAP open the keystore if I have used a password ? > > It probably won''t, unless you either hardcode the clear text password, > > or simply have no key password. > > > > > > openssl req -newkey rsa:1024 -keyout ${FN}.key -out ${FN}.csr > -passout > > > pass:<password> 0<< EOF >/dev/null 2>&1 > > > <SNIP> > > > > > > Q3. ldap.pem: Is this file simply the $FN.pem file created by the > > > following command ? > > > > > > openssl ca -in ${FN}.csr -out ${FN}.pem -days 7300 -keyfile > > > $DIR/demoCA/private/cakey.pem \ > > > -cert $DIR/demoCA/cacert.pem \ > > > -passin pass:<CA PASSWORD> << EOF2 >/dev/null 2>&1 > > > <SNIP> > > > > > > Thanks again, cdlt, > > > ----------- > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > Create a cool, new character for your Windows Live™ Messenger. Check > > > it out <http://go.microsoft.com/?linkid=9656621> > > > > ------------------------------------------------------------------------ > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users@redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > ------------------------------------------------------------------------ > Internet Explorer 8 makes surfing easier. Get it now! > <http://go.microsoft.com/?linkid=9655264>