389-ds ssl batch script feedback after usage #15
Description
Hi,
I wanted to congratulate you for your 389-ds batch script.
Without it, I would never succeed to batch script a full secured 389-ds installation.
I turned your script upside down to feet my needs so here's my feedback:
For the cert gen, I prefered to generate a CA pki and cert with openssl in the /etc/ssl/certs/ca folder and just import the cert with certutil (instead of using certutil to do all the stuff).
Same for server cert, generating pkcs12 from pki & crt and importing with pk12util.
Finally for the ldap-modify section of your script (enabling ssl for admin-serv and ldap), I used these queries instead of the ldap_search voodoo sed expression (wich didn't work on my env):
dsdn=ldapsearch -x -LLL -h localhost -p 389 -D \"cn=directory manager\" -w \"adminpwd\" -b o=netscaperoot \"(&(objectClass=nsDirectoryServer)(serverhostname=ldapdn.ldaptld)(nsserverport=389))\" dn | sed -e 's/dn:\s//' | sed '/0$/!N;s/\n\s//'
and for admin server (ur ldapsearch query didn't worked for me):
asdn = ldapsearch -x -LLL -h localhost -p 389 -D \"cn=directory manager\" -w "adminpwd" -b o=NetscapeRoot -s subtree "(&(cn=configuration)(objectClass=nsAdminConfig)(objectClass=nsDirectoryInfo))" dn | sed -e 's/dn:\s//' | sed '/0$/!N;s/\n\s//'
I want to thank you one more time for this script, it really made my (4) days (instead 3 or 4 weeks).
My best,