I've got 389 Directory Server running on RHEL 5 with groups, users, posix etc. RHEL clients are authenticating users with LDAP - no problems, everything works perfect, but passwords are sent in plaintext and are visible with network sniffer. So, decided to run with SSL:
- Created CA - got both private and public CA certificates
- Using CA certs: generated both of private and public certificates and combined (1st file) for 389DS according to 389DS certificate request, imported with CA public cert to 389DS from graphical console (2nd file).
- Enabled SSL in 389DS
- On the client, using authconfig-gtk enabled SSL for LDAP, specified only CA public certificate
Doesn't work.
Howto? What is the best way to integrate safely?
The first thing you may want to do is check that your server is presenting it's certificates properly. You can do this by trying to connect to your server using OpenSSL. On a client machine with access, run:
This should return a nice print out of the server's certificate. The key here is checking the "Verify return code" printed at the end. You may get different codes, but generally speaking, you should get 0 for a valid certificate, and possibly 19 if you're self-signing.
If this fails, go back and check to ensure you have imported your server side certificates properly.
If you've passed this test, move on to testing your TLS connections from the client side.
On a client machine, run
This will force an LDAP lookup over an encrypted connection. If that's successful, you should get some user information back, and a check into the DS logs should yield the following:
If this fails, you'll want to ensure the certificates were properly imported on the client side.
When troubleshooting, some common areas I've found myself looking frequently are:
1.) On the clients, in some cases (which someone here may be able to better explain), you might try to require signing by editing ldap.conf and including the line
2.) If the authentication GUI is giving you problems, you might try just explicitly turning on TLS for LDAP with
I've had problems with the GUI before, so I tend to stick to using CLI commands.
3.) And a final thing you might try (again , just for testing), is calling
Update
If you're looking for more help in actually creating self sign certificates, try the following:
1.) Create your own, self-signed CA Certificate:
2.) Create a server certificate for the directory server
3.) Import both of these certificates into the directory server in the "Manage Certificates" section, selected under "Tasks"
4.) Enable TLS encryption
5.) Create an exportable certificate for clients and output it to a .pem file
6.) By means of your choosing - download the client certificate onto each client.
7.) Rehash the certificates by using the previously mentioned command
I had no luck configuring SSL for the 389 directory or admin servers following the howtos I found (I figured it was because I was using Centos 6, and most of the howtos targeted Redhat specifically).
What finally worked for me was to initiate cert requests from the 389-console (admin|dir) server interfaces, sign these reqs with a tinyCA installation (just a frontend to openssl, I'm lazy), export the signed PEM certs and CA certs, and import those back using 389-console.
389 console -> Server Group --> (admin/directory) server -> Open -> Manage Certificates
Hope this helps...
Could you use below link to setup RHDS/389-ds on SSL.
http://lists.fedoraproject.org/pipermail/389-users/2012-March/014200.html
Hope that helps.