FedFsInstallNsdbCertificates0.9

From Linux NFS

Revision as of 21:24, 30 October 2012 by Chucklever (Talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Project: fedfs-utils

[ Project Home | News | Downloads | Docs | Mailing Lists | Source Control | Issues ]


Introduction

A Namespace Database, or NSDB, is the repository for fileset location information in a FedFS domain. At its core, an NSDB is simply an LDAP server with an NSDB Container Entry, or NCE, for short. FedFS data is stored as children of this entry.

In this article, we show how to create and distribute x.509 LDAP server certificates. With these certificates, NSDB clients (fileservers or NSDB administrative tools) can use TLS when communicating with NSDBs.

LDAP server configuration

For now, this bit is specific to OpenLDAP on Fedora. More to come. This should move to the OpenLDAP configuration article.

On your NSDB LDAP server, the following steps will create an LDAP server and CA certificate:

# cd /etc/pki/tls/certs
# rm -f slapd.pem
# make slapd.pem

Respond to each prompt as appropriate. Allow slapd to read the PEM file:

# chown ldap.ldap slapd.pem
# chmod 440 slapd.pem

Now enable slapd to find the key. Edit /tmp/ldif and add only the following lines:

dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/pki/tls/cert.pem

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/pki/tls/certs/slapd.pem

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapd.pem

dn: cn=config
changetype: modify
replace: olcTLSVerifyClient
olcTLSVerifyClient: never
Personal tools