[389-users] PAM-LDAP LDAPS Where (in /etc/ldap.conf) to hardcode the keyfile-password (which name=value pair) ?

Wed May 13 15:31:54 UTC 2009

lambam80 at hotmail.com wrote:
> Rich, hello and, as ever, thanks for the helpful reply. One very quick 
> question and
> a quick technote 'for the record'.
>  
> < You write, '... It probably won't, unless you either hardcode the 
> clear text password ...'
>  
> Q1: Hardcode where ? Is there an attribute in /etc/ldap.conf 
> specifically for the keyfile password ?
I have no idea - all I know is that if you need a password to unlock the 
private key, you need to store it somewhere.
>  
> < You write, '...  or simply have no key password ...'
>  
> For the record, I reckon I need the '-noDES' option if I don't want a 
> key file password:
>  
> openssl req -newkey rsa:1024 -keyout ${FN}.key -out ${FN}.csr -days 
> 7300 -nodes <<EOF
> ...
> EOF
>  
> For reference: http://www.openssl.org/docs/apps/req.html#
>  
> I'll let you all know if my PAM-LDAP Linux login works when using 
> client-certificates for binding to LDAP.
Ok. 
>  
> Thanks again,
> -----
>
>  
> > Date: Tue, 12 May 2009 09:31:16 -0600
> > From: rmeggins at redhat.com
> > To: fedora-directory-users at redhat.com
> > CC: lambam80 at hotmail.com
> > Subject: Re: [389-users] PAM-LDAP LDAPS (Linux Login) with PAM-LDAP 
> using a client certificate
> >
> > lambam80 at hotmail.com wrote:
> > > Hello everybody and, firstly, thanks for your continued support.
> > >
> > > I hope I've used the correct expression/jargon, ie:PAM-LDAP ?
> > >
> > > PAM-LDAP works with LDAPS and binding with cn=Directory
> > > Manager/password hardcoded in /etc/ldap.conf - great stuff.
> > Except for the fact that you have the directory manager clear text
> > password hardcoded in ldap.conf :-(
> > > This was configured using the GUI
> > > '/usr/sbin/system-config-authentication' - also great stuff !
> > >
> > > Symbolic Link pointing to the CA certificate: Q1. I've searched the
> > > web but cannot find what purpose the symbolic link serves.
> > > ----------------------------------------
> > >
> > > # ls -toalr /etc/openldap/cacerts
> > > -rw-r--r-- 1 root 1464 2009-03-10 12:21 authconfig_downloaded.pem
> > > lrwxrwxrwx 1 root 25 2009-03-10 12:21 123a856c.0 ->
> > > authconfig_downloaded.pem
> > >
> > >
> > > Client Certificate etc.
> > > --------------------------
> > > I'm now experimenting with client certificates and have found the
> > > following link:
> > >
> > > http://lists.fini.net/pipermail/ldap-interop/2005-April/000421.html
> > >
> > > and see the following example lines for the file /etc/ldap.conf:
> > > tls_cert /usr/share/ssl/certs/ldap.pem ($FN.pem in my case)
> > > tls_key /usr/share/ssl/certs/ldap.key.pem ($FN.key for me)
> > >
> > > Q2. ldap.key.pem: Is this file simply the $FN.key file created by the
> > > following command ?
> > > Will I have trouble if I specify '-passout' ? I assume it protects 
> the
> > > file $FN.key.
> > > How will PAM-LDAP open the keystore if I have used a password ?
> > It probably won't, unless you either hardcode the clear text password,
> > or simply have no key password.
> > >
> > > openssl req -newkey rsa:1024 -keyout ${FN}.key -out ${FN}.csr 
> -passout
> > > pass:<password> 0<< EOF >/dev/null 2>&1
> > > <SNIP>
> > >
> > > Q3. ldap.pem: Is this file simply the $FN.pem file created by the
> > > following command ?
> > >
> > > openssl ca -in ${FN}.csr -out ${FN}.pem -days 7300 -keyfile
> > > $DIR/demoCA/private/cakey.pem \
> > > -cert $DIR/demoCA/cacert.pem \
> > > -passin pass:<CA PASSWORD> << EOF2 >/dev/null 2>&1
> > > <SNIP>
> > >
> > > Thanks again, cdlt,
> > > -----------
> > >
> > >
> > >
> > >
> > >
> > > 
> ------------------------------------------------------------------------
> > > Create a cool, new character for your Windows Live™ Messenger. Check
> > > it out <http://go.microsoft.com/?linkid=9656621>
> > > 
> ------------------------------------------------------------------------
> > >
> > > --
> > > Fedora-directory-users mailing list
> > > Fedora-directory-users at redhat.com
> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > >
> >
> >
>
> ------------------------------------------------------------------------
> Internet Explorer 8 makes surfing easier. Get it now! 
> <http://go.microsoft.com/?linkid=9655264>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20090513/abc18072/attachment.bin>