Mailinglist Archive: opensuse (1445 mails)

< Previous Next >
Re: [opensuse] NFS security [Was: SAMBA.]
On 17/03/12 15:12, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2012-03-17 10:30, lynn wrote:
Maybe you missed that the CN of the CA certificate must be the same as the
fqdn of your server. There is a howto here:
http://digiplan.eu.org/ldap-samba-howto-v4.html
Yes, I did miss that. Obviously, if that is necessary and yast knows that
I'm setting up LDAP, that field should be already filled.
You may want the certificate for something else other than LDAP server verification. Anyway, you don't need to have a server certificate if this is just a test lan. Get it working without security first. In Yast LDAP Client, don't check the sssd or tls options.
Ok, trying again.

No, I can't delete the root certificate to create it again correctly:

RuntimeException:-1:Deleting the CA is not allowed. The CA must be expired
or never have signed a certificategain. It's.

But that clent certificate I revoked and deleted...

Ok, I create another certificate, try again with LDAP creation and... same
error, CA certificate file does not exist. Do I need a client certificate
too? I don't want to create one and then not being able to delete it.


As I said, not that easy.


To be able to start again, you need to get rid of the root-ca. It's in either /var/lib/ca-certificates or /var/lib/CAM. Depending on how far you got, there may also be a server certificate under /etc/openldap. Lose that too.

One thing which really helped us was to draw out the tree of what you are trying to put into the database. Make sure that _every_ node is unique. I mean draw it with pen and paper and blu-tak it to your screen. With LDAP, having an aim is essential, otherwise the learning curve is just too steep. e.g. start with just cn, uid, gid and 'phone number. Armed with that you should be able to pinpoint everyone both personally and over NFS.

Salu2,
L x
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups