Re: [Freeipa-users] trust non-IPA certificate client

2015-01-06 Thread Rob Crittenden
Stephen Ingram wrote:
 On Fri, Jan 2, 2015 at 10:02 AM, Rob Crittenden rcrit...@redhat.com
 mailto:rcrit...@redhat.com wrote:
 
 Stephen Ingram wrote:
  On Mon, Dec 15, 2014 at 6:40 PM, Stephen Ingram sbing...@gmail.com 
 mailto:sbing...@gmail.com
  mailto:sbing...@gmail.com mailto:sbing...@gmail.com wrote:
 
  I have one client using a certificate issued by a third party
  provider such that any secure (TLS) LDAP queries are refused since
  the certificates were not issued by IPA. Since there are only
 a few
  clients with foreign certificates, can the CA simply be added
 to the
  NSS database used by the 389 directory server so IPA will
 establish
  a secure connection with them?
 
 
  I should have added, or do I have to somehow add the certificate
 to the
  IPA directory?
 
 Need a little more context here. IPA doesn't use SSL client
 authentication so it shouldn't be an issue. Can you provide more details
 on what the client side is doing and what errors you are seeing?
 
 
 Thanks Rob. I imported the CA into both the httpd and ldap NSS databases
 and it works. Interestingly, I'm currently using version 3.0 of IPA
 which still has the split directories. The CA imported properly into the
 main IPA directory, but would not import into the PKI directory without
 errors on restart. As I only really needed it in the main directory, I'm
 OK for now, however, I'm wondering if this will be a problem when we
 move to version 3.3 and the two directories are combined.

I'd need to see the errors you were getting. I don't see why the
existence of a trusted CA cert would cause a service to not start.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] trust non-IPA certificate client

2015-01-06 Thread Stephen Ingram
On Fri, Jan 2, 2015 at 10:02 AM, Rob Crittenden rcrit...@redhat.com wrote:

 Stephen Ingram wrote:
  On Mon, Dec 15, 2014 at 6:40 PM, Stephen Ingram sbing...@gmail.com
  mailto:sbing...@gmail.com wrote:
 
  I have one client using a certificate issued by a third party
  provider such that any secure (TLS) LDAP queries are refused since
  the certificates were not issued by IPA. Since there are only a few
  clients with foreign certificates, can the CA simply be added to the
  NSS database used by the 389 directory server so IPA will establish
  a secure connection with them?
 
 
  I should have added, or do I have to somehow add the certificate to the
  IPA directory?

 Need a little more context here. IPA doesn't use SSL client
 authentication so it shouldn't be an issue. Can you provide more details
 on what the client side is doing and what errors you are seeing?


Thanks Rob. I imported the CA into both the httpd and ldap NSS databases
and it works. Interestingly, I'm currently using version 3.0 of IPA which
still has the split directories. The CA imported properly into the main IPA
directory, but would not import into the PKI directory without errors on
restart. As I only really needed it in the main directory, I'm OK for now,
however, I'm wondering if this will be a problem when we move to version
3.3 and the two directories are combined.

Steve
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] trust non-IPA certificate client

2015-01-02 Thread Rob Crittenden
Stephen Ingram wrote:
 On Mon, Dec 15, 2014 at 6:40 PM, Stephen Ingram sbing...@gmail.com
 mailto:sbing...@gmail.com wrote:
 
 I have one client using a certificate issued by a third party
 provider such that any secure (TLS) LDAP queries are refused since
 the certificates were not issued by IPA. Since there are only a few
 clients with foreign certificates, can the CA simply be added to the
 NSS database used by the 389 directory server so IPA will establish
 a secure connection with them?
 
 
 I should have added, or do I have to somehow add the certificate to the
 IPA directory? 

Need a little more context here. IPA doesn't use SSL client
authentication so it shouldn't be an issue. Can you provide more details
on what the client side is doing and what errors you are seeing?

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] trust non-IPA certificate client

2014-12-16 Thread Stephen Ingram
On Mon, Dec 15, 2014 at 6:40 PM, Stephen Ingram sbing...@gmail.com wrote:

 I have one client using a certificate issued by a third party provider
 such that any secure (TLS) LDAP queries are refused since the certificates
 were not issued by IPA. Since there are only a few clients with foreign
 certificates, can the CA simply be added to the NSS database used by the
 389 directory server so IPA will establish a secure connection with them?


I should have added, or do I have to somehow add the certificate to the
IPA directory?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] trust non-IPA certificate client

2014-12-15 Thread Stephen Ingram
I have one client using a certificate issued by a third party provider such
that any secure (TLS) LDAP queries are refused since the certificates were
not issued by IPA. Since there are only a few clients with foreign
certificates, can the CA simply be added to the NSS database used by the
389 directory server so IPA will establish a secure connection with them?

Steve
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project