[Fedora-directory-users] (no subject)

George Holbert gholbert at broadcom.com
Fri Dec 5 19:56:12 UTC 2008 

Chavez, James R. wrote:
> Hello again, Thanks for the reply. 
> My Solaris 10 and 8 clients are working against SSL now, thanks!
> For my Linx clients clients I am trying to follow the FDS wiki: How
> to:SSL.
>
> I am having a problem importing the root CA certificate on my Fedora
> boxes. 
> The Howto SSL link says to run this command to import the cacert.asc
> file.
>
> "cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noot -hash -in
> cacert.asc`.0"
>
> However that responds with the below error. Anybody familiar with this
> error?
> Also I see Fedora has the certutil utility, can I use this to import the
> ca root certificate like I did for the Solaris clients?
>   

I believe the nss_ldap and pam_ldap libraries on Fedora use OpenSSL, not 
Mozilla's NSS (of which certutil is a component).
So certutil won't do you any good in this area.

> 'Error opening Certificate cacert.asc
> 2312:error:02001002:system library:fopen:No such file or
> directory:bss_file.c:352:fopen('cacert.asc','r')
> 2312:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
>   

Try giving an absolute path to cacert.asc... looks like it's just not 
finding that file.
e.g.

"cp /path/to/cacert.asc /etc/openldap/cacerts/`openssl x509 -noout -hash -in
/path/to/cacert.asc`.0"


> Many Thanks
> James
>
> -----Original Message-----
> From: fedora-directory-users-bounces at redhat.com
> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of George
> Holbert
> Sent: Friday, December 05, 2008 12:03 AM
> To: General discussion list for the Fedora Directory server project.
> Subject: Re: [Fedora-directory-users] Create client SSL certificates
> forSolaris boxes.
>
> James Chavez wrote:
>   
>> George,
>> Thank you much for the help with this. I read up on the links you sent
>>     
>
>   
>> and they seem to have helped. I have been struggling with a Solaris 8 
>> box for the past few hours. It would not work at first, I was getting 
>> an end of file error in the access log. Then it just started working 
>> after I restarted the client services a few times and readded the box 
>> using the same profile.
>>
>> I have another question in regards to SSL for replication.
>> I had MMR going between two servers, this one and another prior to 
>> enabling SSL on this server. I removed all the replication agreements 
>> because as I understand it they need to be recreated with SSL. I would
>>     
>
>   
>> appreciate the lists opinions on the following. The Admin guide states
>>     
>
>   
>> that there are 2 ways of replicating over SSL, I pasted them below. I 
>> would like to know the pros and cons of each and if a DNS PTR record 
>> is an absolute necessity on each MMR member.
>>   
>>     
>
> The end result with both SSL replication flavors is the same.
> Both encrypt the replication traffic between your directory servers.
> The client cert method, when properly implemented, will make life more
> challenging for a prospective attacker who would like to impersonate
> your replication manager identity.  In that sense, it is more secure
> than simple auth with SSL.
>
>
> CONFIDENTIALITY
> This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited.  If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>

More information about the Fedora-directory-users mailing list