darkness

Well, there are the official installation instructions which basically work because they’re pretty simple: install the RPM and run the indicated setup program. I did created a fedora-ds user and group to run the server as; I don’t know if this is beneficial, but if they do it for every other service why not this one?

There is a note there on the install instructions saying that the console will not work if you don’t turn off SELinux. I did not have that experience when I installed Sun Java 5 (using RPM from jpackage.org) and ran startconsole through SSH’s X11 forwarding.

Now, before I did that I did have problems connecting to the server with an installation of the administration console on another machine. I suspect these problems were related to weird DNS issues. However, I initially forgot to change the IPs allowed to connect to the administration server as per these directions. I note that FDS 1.0.2 seems to retain the bug from earlier releases whereby the results of matching the IP are inverted: if it matches, you’re denied, otherwise you’re allowed. (Or something.)

To get SSL going I did a few different things. References for these activities were primarily Managing SSL and SASL from the RH Directory Server docs and the HowTo:SSL page from the FDS Wiki.

1. I made a new CA to be used on my whole network using the easy-rsa stuff from OpenVPN. These scripts make it nice and easy to administer your CA.
2. From the “Fedora Management Console” you get when you first startconsole -x nologo, find “Administration Server” in the tree and double click it to open the administration server console.
3. Select the “Manage Certificates” task from the “Tasks” tab.
4. The first time you open this you’ll probably get prompted to set a password that’s used to encrypt the private keys. Go ahead and do that.
5. Go into the “CA Certs” tab, click the “Install” button, and follow the prompts to install the CA certificate that easy-rsa made for you.
6. Now close out all those windows so you’re back down to the “Fedora Management Console” window.
7. Find and double click the LDAP server in the tree to get its console.
8. Repeat steps 3-6 for the LDAP server.

At this point both servers have your CA certificate. Now you need to assign them their own key and certificate.

If you want to assign separate keys to the administration server and the LDAP server, you can do that through the GUI: in manage certificate you can generate a request in the “Server Certs” tab of “Manage Certificates,” use sign-req from easy-rsa to make a certificate, then import that certificate in the “Server Certs” tab.

One gotcha: I don’t believe OpenSSL (at least as configured by default in easy-rsa) will let you have two certificates with the same DN, and that usually means you’ll want to differ the CN on the certificates; but I’m pretty sure the CN on both certificates needs to be the host name that was used to connect via SSL. (Otherwise, I presume you’ll go to connect and the SSL client—whatever it might be—will say “hey, the certificate sent to me by the server doesn’t match the name on the certificate! bye!”) Use a separate host name for the administration server and the LDAP server, no problem. Find out I’m wrong about this requirement, no problem (make the CN’s different to indicate which one is for the administration server and which one is for the LDAP server).

But if you, like me, want to use one host name to connect to both servers, and you also like to assume problems will occur before they have been solidly confirmed (as I have above), you may want to do what I did: use the same certificate/key for both the administration server and the LDAP server. The trick here is that you can’t (or, at least, I can’t) do this from the GUI. First, make a single key/certificate for the servers with easy-rsa; use build-key-server, not build-key. You need the pk12util on the command line. Doing this is as described in the HowTo:SSL Wiki page:

openssl pkcs12 -export -inkey PRIVATE-KEY -in CERTIFICATE -out /tmp/crt.p12 -nodes -name 'NICKNAME'
cd /opt/fedora-ds/shared/bin
./pk12util -i /tmp/crt.p12 -d /opt/fedora-ds/alias/ -P PREFIX-

In my case, PRIVATE-KEY was something like /root/ca/keys/ldap.example.com.key (the key file generated by build-key-server), CERTIFICATE was /root/ca/keys/ldap.example.com.crt (again, a result of build-key-server), and I used the CN (the host name) for the NICKNAME. When openssl pkcs12 asks for an export password, just press enter. You need to run the pk12util command twice: once using something like slapd-ldap- (the hyphen on the end is important!) for PREFIX and again using something like admin-serv-ldap- for PREFIX (if you used an instance name other than ldap, the default when running setup, replace ldap in those PREFIX values with your instance name). The first time you run it with slapd-ldap- you import the key and certificate into the LDAP server; the second invocation of pk12util imports the key and certificate into the administration server. pk12util may ask for your “token” or something; that’s the password you set when you first opened the “Manager Certificates” task.

When it reports something like pk12util-bin: PKCS12 IMPORT SUCCESSFUL for each invocation of pk12util you should be able to see your imported key/certificate in the “Manage Certificates” task of both the administration server and the LDAP server.

Now that you’ve done the hard work of actually getting the necessary keys and certificates into FDS, you need to go into the configuration of each of the administration and the LDAP servers and enable SSL, then restart both servers. This process is described in the RHDS documentation on enabling SSL.

I’ll take a moment to note that I disable all “insecure” ciphers (that’s what I think I’m doing when I uncheck them, at least). I’m a little concerned that, when editing the TLS ciphers for the LDAP server, I uncheck them all because the only two available ciphers are 56-bit “export” ciphers. I don’t know if I need to enable a plug-in, if a more secure cipher is simply missing in FDS, or if some specification (LDAP? TLS? I don’t believe either of these would specify such a thing) say you can’t use a stronger cipher with TLS in this case. At any rate, I suspect disabling all TLS ciphers means STARTTLS will never work with my LDAP server, and I’m OK with that (I’ll just use port 636).

A final note: learning that pk12util and certutil are there, and a bit about what they can do, is probably valuable. For example, I initially used build-key (instead of build-key-server) to generate my key/certificate. When I went to restart the administration server and the LDAP server, neither would start back up because of an SSL error. I had to use certutil to delete them and pk12util to put new ones back in (after I revoked the old ones and generated new ones with build-key-server).

Now, I want FDS to start without asking me for the password I encrypted the key/certificate databases with. To do this for the LDAP server, make a file /opt/fedora-ds/alias/slapd-ldap-pin.txt (once again, replace ldap with your instance name if you’re not using the default) with the following contents:

Internal (Software) Token:PASSWORD

Where PASSWORD is the password you set. Make sure this file is something like mod 400 and only readable/writable by the user/group FDS runs as (fedora-ds in my case). To store the administration server’s passphrase requires just a touch more work. First, make a file such as /opt/fedora-ds/admin-serv/config/password.conf and give it contents such as:

internal:PASSWORD

Again, PASSWORD is the password you set for the administration server’s certificate store. Again, make sure this file has proper permissions: 400, owned by user/group FDS runs as. Now you have to change the “NSS” module’s configuration to tell it to read from this file. Edit /opt/fedora-ds/admin-serv/config/nss.conf, find the line that begins with NSSPassPhraseDialog and change it to look something like:

NSSPassPhraseDialog file:/opt/fedora-ds/admin-serv/config/password.conf

Now you should be able to restart both the LDAP and administration servers with impunity, and without being asked for a password.

There are a few SysV init scripts for FDS on the FDS Wiki, but I wasn’t totally happy with any of them so I made my own. You can download fedora-ds.init which starts the LDAP server. Edit the instance variable to match your instance name (if it’s not ldap) and install it mod 755 in /etc/init.d, named whatever you’d like (I like slapd-ldap for my ldap instance). There’s also fedora-ds-admin.init to start/stop the administration server. I installed this as /etc/init.d/fedora-ds-admin. Don’t forget to run chkconfig -add and chkconfig ... on for both services.