RE: [Fedora-directory-users] Re: SubjectAltName how does it work?

[Alex]

 
> I did give you another solution -- simply list all your FDS 
> servers in the client's /etc/openldap/ldap.conf.  That's it.  
> None of this floating IP business.  If the first one on the 
> list fails, it'll go to the next one.
> 

Ok..tomorrow I'll try to solve in this way...thank you!

At this point "floating Ip" became too much complicated !


Regards (good night)
Alex

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

RE: [Fedora-directory-users] Re: SubjectAltName how does it work?

[Susan]

--- Alex <[EMAIL PROTECTED]> wrote:
> SusanI explained why floating ip...give me another solution that permit
> to have 2 DS in Replication where clients can query/authenticate in encrypt
> mode on both server...even if a server is shutted or crashed...of
> course...say me how to implement too ;-)

I did give you another solution -- simply list all your FDS servers in the 
client's
/etc/openldap/ldap.conf.  That's it.  None of this floating IP business.  If 
the first one on the
list fails, it'll go to the next one.

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

RE: [Fedora-directory-users] Re: SubjectAltName how does it work?

[Alex]

 
> You are doing a couple of odd things:
> 
> 1. Why does nodo1 get it's own nickname but nodo2 is named 
> Alt-Cert? As I've said before, the nicknames aren't 
> important, but you should have some sort of naming policy.
> 2. You may need to fully qualify the cn in the certificates: 
> nodo1.domain.example.com. This alone could explain the -12276 
> error. I don't know if NSS will reconstitute the domain from 
> it's dc components.
> 
> Does ldapsearch work against each fully-qualified host? Get 
> ldapsearch working for the CN and for the alt subject first 
> before trying to do MMR.
> 
> rob
> 
Alt-Cert is only for tips from you
...tomorrow I'll try to make a certificate for nodo2 as
nodo2.domain.example.com
Sincerely I still don't understand where is the problem; At this point I
think that I explained in bad way what is my goal. I follow your tip,
assuming that -n Alt-Cert was something more that only a nickname for cert.

Plusin my last post I used fqdn for nodo1 and Alt-Cert for reason above,
do U think that all problems are from an error about -n statement?


SusanI explained why floating ip...give me another solution that permit
to have 2 DS in Replication where clients can query/authenticate in encrypt
mode on both server...even if a server is shutted or crashed...of
course...say me how to implement too ;-)

At this point I think that we are very (how do you say vicino??closed??)
to the solutionwhen finally DS replicating and client can authenticate
with ssl on both server...other problem such as postfix integration and
samba integration is only a time issue! 

Thanks for your support
Alex


--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Re: [Fedora-directory-users] Re: SubjectAltName how does it work?

[Susan]

> Alex wrote:
> > I'm apologize but I'don't understand what you want to say...and noat
> > this point I can't do ldapsearch -zz

then obviously mmr over ssl will not work.

seriously, why do you keep doing this floating IP setup?  it's not buying you 
anything.  It

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Re: [Fedora-directory-users] Re: SubjectAltName how does it work?

[Rob Crittenden]

Alex wrote:
 

Like Richard said, what is nsSSLPersonalitySSL set to in 
dse.ldif on the nodes?


you should keep the names consistent.  I mean, how do you 
know whether alt-server refers to nodo1 or nodo2??  You know 
now but what about 5 months from now??


also, can you do ldapsearch -ZZ against both nodo1/2 without problems?




I'm apologize but I'don't understand what you want to say...and noat
this point I can't do ldapsearch -zz

I only follow your instructions to enable encryption on both server and
trying to make a query from a client on both server using a floating ip with
ssl enableI understood that the solution was SubjectAltName and I asked
in which way was possible to implement it...following Rob tips seems doesn't
working and last post is the last step on my configuration for testing it.



You are doing a couple of odd things:

1. Why does nodo1 get it's own nickname but nodo2 is named Alt-Cert? As 
I've said before, the nicknames aren't important, but you should have 
some sort of naming policy.
2. You may need to fully qualify the cn in the certificates: 
nodo1.domain.example.com. This alone could explain the -12276 error. I 
don't know if NSS will reconstitute the domain from it's dc components.


Does ldapsearch work against each fully-qualified host? Get ldapsearch 
working for the CN and for the alt subject first before trying to do MMR.


rob



smime.p7s
Description: S/MIME Cryptographic Signature
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

RE: [Fedora-directory-users] Re: SubjectAltName how does it work?

[Alex]

 
> Like Richard said, what is nsSSLPersonalitySSL set to in 
> dse.ldif on the nodes?
> 
> you should keep the names consistent.  I mean, how do you 
> know whether alt-server refers to nodo1 or nodo2??  You know 
> now but what about 5 months from now??
> 
> also, can you do ldapsearch -ZZ against both nodo1/2 without problems?
> 

I'm apologize but I'don't understand what you want to say...and noat
this point I can't do ldapsearch -zz

I only follow your instructions to enable encryption on both server and
trying to make a query from a client on both server using a floating ip with
ssl enableI understood that the solution was SubjectAltName and I asked
in which way was possible to implement it...following Rob tips seems doesn't
working and last post is the last step on my configuration for testing it.


Regards
Alex

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

RE: [Fedora-directory-users] Re: SubjectAltName how does it work?

[Susan]

--- Alex <[EMAIL PROTECTED]> wrote:
> [11/Apr/2006:17:56:58 +] NSMMReplicationPlugin - agmt="cn="Replication
> to nodo2.domain.example.com"" (nodo2:636): Simple bind failed, LDAP sdk
> error 81 (Can't contact LDAP server), Netscape Portable Runtime error -12276

Like Richard said, what is nsSSLPersonalitySSL set to in dse.ldif on the nodes?

you should keep the names consistent.  I mean, how do you know whether 
alt-server refers to nodo1
or nodo2??  You know now but what about 5 months from now??

also, can you do ldapsearch -ZZ against both nodo1/2 without problems?

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

RE: [Fedora-directory-users] Re: SubjectAltName how does it work?

[Alex]

 
> what happens when you run certutil -L -d . on both servers?  
> in alias directory?
> 
> try keeping the cert names consistent, that'll help in 
> troubleshooting.
> 


Ok...after these commands:

**CA*

# ../shared/bin/certutil -N -d .

# ../shared/bin/certutil -S -d . -n 'CA Certificate' -s 'cn=CAcert' -x 
-t CTu,CTu,CTu -g 1024 -m 1 -v 120 -2 -1 -5


Server 1

 # ../shared/bin/certutil -R -d . -s "cn=nodo1,dc=domain,dc=example,dc=com"
-o tmpcertreq -g 1024
 # ../shares/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o
tmpcert.der -m 3 -v 120 -1 -5 -8 domain.example.com 
 # ../shared/bin/certutil -A -d . -n nodo1.domain.example.com -t u,u,u -i
tmpcert.der


*Server 2***


# ../shared/bin/certutil -R -d . -s "cn=nodo2,dc=domain,dc=example,dc=com"
-o tmpcertreq -g 1024
# ../shared/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o
tmpcert.der -m 9 -v 120 -1 -5 -8 domain.example.com
# ../shared/bin/certutil -A -d . -n Alt-Cert -t u,u,u -i tmpcert.der

# certutil -L -d .
CA Certificate  Ctu,Ctu,CTu
Nodo1.domain.example.comu,u,u
Alt-Certu,u,u


*MULTI MASTER REPLICATION*

..after enabling ssl encrypt on both server...running mmr.pl script:

./mmr.pl --host1 nodo1.domain.example.com --host2 nodo2.domain.example.com
--host1_id 1 --host2_id 2 --bindpw secret --repmanpw secret --create
--with-ssl


**LOGS*

..in nodo1 in logs:

[11/Apr/2006:17:56:58 +] NSMMReplicationPlugin - agmt="cn="Replication
to nodo2.domain.example.com"" (nodo2:636): Simple bind failed, LDAP sdk
error 81 (Can't contact LDAP server), Netscape Portable Runtime error -12276
(Unable to communicate securely with peer: requested domain name does not
match the server's certificate.)
[11/Apr/2006:17:56:58 +] NSMMReplicationPlugin - agmt="cn="Replication
to nodo2.domain.example.com"" (nodo2:636): Simple bind failed, LDAP sdk
error 81 (Can't contact LDAP server), Netscape Portable Runtime error -12276
(Unable to communicate securely with peer: requested domain name does not
match the server's certificate.)
[11/Apr/2006:17:57:01 +] NSMMReplicationPlugin - agmt="cn="Replication
to nodo2"" (nodo2:636): Simple bind failed, LDAP sdk error 81 (Can't contact
LDAP server), Netscape Portable Runtime error -12276 (Unable to communicate
securely with peer: requested domain name does not match the server's
certificate.)

CONSIDERATIONS

Modifing as suggested from Richard:

../shares/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o
tmpcert.der -m 3 -v 120  -1 -5 -8 domain.example.com


It says:

Bash: syntax error near unexpected token 'newline'


I understood that the problem is how I wrote http , but I don't know how
to change it

Thanks in advance for your support

ALex



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Re: [Fedora-directory-users] Re: SubjectAltName how does it work?

[Alessandro Binarelli]

what happens when you run certutil -L -d . on both servers?  in alias directory?
try keeping the cert names consistent, that'll help in troubleshooting.
ok...I try it in about one hour...more or less...but the command above could be list certificates and, if I remember it was

Ca Certificate
Alt-Cert
nodo2.domain.example.com

..I '' be more accurate later...when I came back

Thanks in advance
Alex
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Re: [Fedora-directory-users] Re: SubjectAltName how does it work?

[Susan]

> Alessandro Binarelli wrote:
> > Hi,
> > today, I'm trying to solve ssl issue to comunicate from DS Fedora to 
> > both client and another DS server for replication..after many test, 
> > with your help I catched up this point:

what happens when you run certutil -L -d . on both servers?  in alias directory?

try keeping the cert names consistent, that'll help in troubleshooting.

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

RE: [Fedora-directory-users] Re: SubjectAltName how does it work?

[Alex]

  
> On server2 - did you change Alt-Cert to Server-Cert in the 
> cert database, or did you change the attribute 
> nsSSLPersonalitySSL in entry cn=RSA,cn=encryption,cn=config 
> to be Alt-Cert instead of Server-Cert?


I did exactly that I wrote..so, after maked a certificates, I exported db on
server2 and in console I enabled encryption ssl usingon the first
server(nodo1) nodo1.domain.example.com and on second server(nodo2) Alt-Cert

> > ./mmr.pl --host1 nodo1.domain.example.com 
>  --host2 
> > nodo2.domain.example.com  
> --host1_id 1 --host2_id 2 --bindpw secret
> > --repmanpw secret --create --with-ssl

Trying to run replacing nodo1.domain.example.com with
http://nodo1.domain.example.com and nodo2.domain.example.com with
http://nodo2.domain.example.com the script says:

Died at ./mmr.pl line 418,  line 339


Today I remade certificate and I used Alt-Cert nick for server1 and nodo2
for server2...now running script it says:

[10/Apr/2006:12:24:11 +] NSMMReplicationPlugin - agmt="cn="Replication
to nodo2.domain.example.com"" (nodo2:636): Simple bind failed, LDAP sdk
error 81 (Can't contact LDAP server), Netscape Portable Runtime error -12276
(Unable to communicate securely with peer: requested domain name does not
match the server's certificate.)

Thanks
Alex

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Re: [Fedora-directory-users] Re: SubjectAltName how does it work?

[Richard Megginson]

Alessandro Binarelli wrote:

Hi,
today, I'm trying to solve ssl issue to comunicate from DS Fedora to 
both client and another DS server for replication..after many test, 
with your help I catched up this point:


I'm always in alias directory.

Create my CA database:
# ../shared/bin/certutil -N -d .

Make my self CA:

# ../shared/bin/certutil -S -d . -n 'CA Certificate' -s 'cn=CAcert' -x 
-t CTu,CTu,CTu -g 1024 -m 1 -v 120 -2 -1 -5



Create server key and certificate for server1:

# ../shared/bin/certutil -R -d . -s "cn=nodo1,dc=domain,dc=example,dc=com" -o tmpcertreq 
-g 1024
# ../shares/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o 
tmpcert.der -m 3 -v 12 
-1 -5 -8 domain.example.com 
# ../shared/bin/certutil -A -d . -n nodo1.domain.example.com  -t u,u,u -i 
tmpcert.der

#rm -f tmpcert.der tmpcertreq

Create server key and certificate for server2:

# ../shared/bin/certutil -R -d . -s "cn=nodo2,dc=domain,dc=example,dc=com" -o tmpcertreq 


-g 1024
# ../shares/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o tmpcert.der -m 4 -v 12 
-1 -5 -8 domain.example.com 


# ../shared/bin/certutil -A -d . -n Alt-Cert -t u,u,u -i tmpcert.der
#rm -f tmpcert.der tmpcertreq
 
After that I copy database on server 2 and rename it to match with correct server...finally I enable ssl encrypt on both servers
  
On server2 - did you change Alt-Cert to Server-Cert in the cert 
database, or did you change the attribute
nsSSLPersonalitySSL in entry cn=RSA,cn=encryption,cn=config to be 
Alt-Cert instead of Server-Cert?

and I try to establish Multi Master Replication via mmr.pl script...so:

./mmr.pl --host1 nodo1.domain.example.com  --host2 
nodo2.domain.example.com  --host1_id 1 --host2_id 2 --bindpw secret

--repmanpw secret --create --with-ssl

unfortunately consulting logs I find:
  

In which log is this?

NSMMReplicationPlugin - agmt="cn="Replication

to nodo2.domain.example.com "" (nodo2:636): 
Simple bind failed, LDAP sdk
error 91 (Can't connect to the LDAP server), Netscape Portable Runtime error
-5961 (TCP connection reset by peer.)


  
It's incredible that when I find solution for something, at the same 
time I find problem in another point :-)


Thanks in advance for support

Alex


 



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
  


smime.p7s
Description: S/MIME Cryptographic Signature
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Re: [Fedora-directory-users] Re: SubjectAltName how does it work?

[Alessandro Binarelli]

Hi, 
today, I'm trying to solve ssl issue to comunicate from DS Fedora to
both client and another DS server for replication..after many test,
with your help I catched up this point:

I'm always in alias directory.

Create my CA database:
# ../shared/bin/certutil -N -d .Make my self CA:# ../shared/bin/certutil -S -d . -n 'CA Certificate' -s 'cn=CAcert' -x -t CTu,CTu,CTu -g 1024 -m 1 -v 120 -2 -1 -5
Create server key and certificate for server1:# ../shared/bin/certutil -R -d . -s "cn=nodo1,dc=domain,dc=example,dc=com" -o tmpcertreq -g 1024# ../shares/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o 
tmpcert.der -m 3 -v 12 -1 -5 -8 domain.example.com# ../shared/bin/certutil -A -d . -n nodo1.domain.example.com -t u,u,u -i 
tmpcert.der#rm -f tmpcert.der tmpcertreqCreate server key and certificate for server2:# ../shared/bin/certutil -R -d . -s "cn=nodo2,dc=domain,dc=example,dc=com" -o tmpcertreq 
-g 1024# ../shares/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o tmpcert.der -m 4 -v 12 -1 -5 -8 domain.example.com
# ../shared/bin/certutil -A -d . -n Alt-Cert -t u,u,u -i tmpcert.der#rm -f tmpcert.der tmpcertreq After that I copy database on server 2 and rename it to match with correct server...finally I enable ssl encrypt on both servers
and I try to establish Multi Master Replication via mmr.pl script...so:./mmr.pl --host1 nodo1.domain.example.com --host2 
nodo2.domain.example.com --host1_id 1 --host2_id 2 --bindpw secret--repmanpw secret --create --with-sslunfortunately consulting logs I find:NSMMReplicationPlugin - agmt="cn="Replication
to nodo2.domain.example.com"" (nodo2:636): Simple bind failed, LDAP sdkerror 91 (Can't connect to the LDAP server), Netscape Portable Runtime error-5961 (TCP connection reset by peer.)

It's incredible that when I find solution for something, at the same time I find problem in another point :-)

Thanks in advance for support

Alex


 
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Re: [Fedora-directory-users] Re: SubjectAltName how does it work?

[Rob Crittenden]

Alessandro Binarelli wrote:

 >Assuming you already have a CA nicknamed 'cacert' and your database is
 >in the directory named 'foo':
 >
 >% certutil -R -d foo -s "cn=localhost,dc=example,dc=com" -o tmpcertreq
 >-g 1024
 >% certutil -C -d foo -c cacert -i tmpcertreq -o tmpcert.der -m 9 -v 12
 >-1 -5 -8 foo.example.com 
 >% certutil -A -d foo -n Alt-Cert -t u,u,u -i tmpcert.der
 >% certutil -L -d foo -n Alt-Cert
 >% rm -f tmpcert.der tmpcertreq



Thanks as alwaysat this moment I can't try because I'm traveling for 
job...but,  reading what you have postI missed  in my commands "-n 
Alt-Cert"...I want try as soon as possiblebut where did you have 
find that? :-)


Nothing magical, -n is just the certificate nickname and I Server-Cert 
was already used, so I chose Alt-Cert.


rob


smime.p7s
Description: S/MIME Cryptographic Signature
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Re: [Fedora-directory-users] Re: SubjectAltName how does it work?

[Alessandro Binarelli]

>Assuming you already have a CA nicknamed 'cacert' and your database is>in the directory named 'foo':
>>% certutil -R -d foo -s "cn=localhost,dc=example,dc=com" -o tmpcertreq>-g 1024>% certutil -C -d foo -c cacert -i tmpcertreq -o tmpcert.der -m 9 -v 12>-1 -5 -8 
foo.example.com>% certutil -A -d foo -n Alt-Cert -t u,u,u -i tmpcert.der>% certutil -L -d foo -n Alt-Cert>% rm -f tmpcert.der tmpcertreq

Thanks as alwaysat this moment I can't try because I'm
traveling for job...but,  reading what you have postI
missed  in my commands "-n Alt-Cert"...I want try as soon as
possiblebut where did you have find that? :-)

Thanks
Alex
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Re: [Fedora-directory-users] Re: SubjectAltName how does it work?

[Rob Crittenden]

Alex aka Magobin wrote:

I also find this in Sun documentation:

certutil -R ...-CUT-... -a -8 amserv1.example.com,amserv2.example.com




Ok, after reading document I see that certutil that cames with FDS
support subjectAltName...so I tried to make server certificate with this
extension but unfortunately doesn't work; I used the following

# ../shared/bin/certutil -R -d . -s 'CN=nodo1.domain.example.com -o
tmpcertreq -g 1024 -8 ldap.domain.example.com
# ../shared/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o
tmpcert.der -m 3 -v 120 -1 -5 -8 ldap.domain.example.com

# ../shared/bin/certutil -A -d . -n "nodo1.domain.example.com" -t u,u,u
-i tmpcert.der



...I supposed that it was correctly but I'm not sure...I don't find
anything about configuration certificate with subjectAltName extention.

Could someone suggest me the right way?


Assuming you already have a CA nicknamed 'cacert' and your database is 
in the directory named 'foo':


% certutil -R -d foo -s "cn=localhost,dc=example,dc=com" -o tmpcertreq 
-g 1024
% certutil -C -d foo -c cacert -i tmpcertreq -o tmpcert.der -m 9 -v 12 
-1 -5 -8 foo.example.com

% certutil -A -d foo -n Alt-Cert -t u,u,u -i tmpcert.der
% certutil -L -d foo -n Alt-Cert
% rm -f tmpcert.der tmpcertreq

-- Cut --
Signed Extensions:
Name: Certificate Subject Alt Name
Data: Sequence {
[1]
foo.example.com
}

Name: Certificate Type
Data: 
-- Cut --

rob


smime.p7s
Description: S/MIME Cryptographic Signature
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Re: [Fedora-directory-users] Re: SubjectAltName how does it work?

[Richard Megginson]

Alex aka Magobin wrote:


I also find this in Sun documentation:

certutil -R ...-CUT-... -a -8 amserv1.example.com,amserv2.example.com

   



Ok, after reading document I see that certutil that cames with FDS
support subjectAltName...so I tried to make server certificate with this
extension but unfortunately doesn't work; I used the following

# ../shared/bin/certutil -R -d . -s 'CN=nodo1.domain.example.com -o
tmpcertreq -g 1024 -8 ldap.domain.example.com
# ../shared/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o
tmpcert.der -m 3 -v 120 -1 -5 -8 ldap.domain.example.com

# ../shared/bin/certutil -A -d . -n "nodo1.domain.example.com" -t u,u,u
-i tmpcert.der
 


What errors did you get?




...I supposed that it was correctly but I'm not sure...I don't find
anything about configuration certificate with subjectAltName extention.

Could someone suggest me the right way?

THANKS
Alex

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 



smime.p7s
Description: S/MIME Cryptographic Signature
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users