Environment
Novell eDirectory 8.8 for Linux
Novell eDirectory 8.7.3 for Linux
Novell eDirectory 8.7.3 for Linux
Situation
There may be situations when the eDirectory SSL KMOs (certificates) are expired, and you are not able to use standard tools such as ConsoleOne or iManager to delete and recreate the KMOs.
One example of such a situation is with ZLM on SLES, where the product does not ship with ConsoleOne or iManager, and for some reason, the organization may not be able to install these products on the server.
In this case, command line tools can be used to delete the expired certificates and to recreate them.
One example of such a situation is with ZLM on SLES, where the product does not ship with ConsoleOne or iManager, and for some reason, the organization may not be able to install these products on the server.
In this case, command line tools can be used to delete the expired certificates and to recreate them.
Resolution
The tools to accomplish this are LDAP and ndsconfig.
1) Determine the exact DN's for the eDirectory KMO's with the following command from the server console:
* ldapsearch -x -H ldap[s]://<server>:<port> -W -b '<eDirectory context>' objectclass=ndspkikeymaterial dn
* An example of the results is shown below:
ldapsearch -x -H ldaps://server01:10636 -W -b 'o=services' objectclass=ndspkikeymaterial dn
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <o=services> with scope subtree
# filter: objectclass=ndspkikeymaterial
# requesting: dn
#
# SSL CertificateDNS - server01, services
dn: cn=SSL CertificateDNS - server01,o=services
# DNS AG server01.novell.com - server01, services
dn: cn=DNS AG server01.novell.com - server01,o=services
# SSL CertificateIP - server01, services
dn: cn=SSL CertificateIP - server01,o=services
# IP AG 192.168.0.220 - server01, services
dn: cn=IP AG 192.168.0.220 - server01,o=services
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 4
2) Create the ldif files used with the ldapmodify command to delete the expired eDirectory KMOs:
* Create an LDIF file with the following information. For example, call it delcert.ldif
dn: cn=SSL CertificateIP - server01,o=services
changetype: delete
dn: cn=SSL CertificateDNS -server01,o=services
changetype: delete
3) Execute the ldapmodify command from the server console against the LDIF file in order to delete the expired KMOs
* ldapmodify -x -H ldap[s]://<server>:<port> -D cn=<admin account> -W -f <LDIF filename>
ldapmodify -x -H ldaps://server01:10636 -D cn=admin,o=services -W -f /tmp/delcert.ldif
Enter LDAP Password:
deleting entry "cn=SSL CertificateIP - server01,o=services"
4) Create the new KMOs with the ndsconfig command and the following options:
* Execute the ndsconfig add -m sas from the server console:
server01:/tmp # ndsconfig add -m sas
[1] Instance at /etc/nds.conf: server01.O=services.Novell01-TREE
Enter admin name with context[admin.org]:admin.services
Enter the password for admin.services:
Configuring Novell eDirectory server with the following parameters, Please wait...
Tree Name : Novell01-TREE
Server DN : server01.O=services
Admin DN : admin.services
Module Name : sas
NCP Interface(s) : @524
Configuration File : /etc/nds.conf
Instance Location : /var/opt/novell/eDirectory/data
DIB Location : /var/nds/dib
Searching for the Tree "Novell01-TREE" in the network. Please wait...
Configuring SAS service... Done
Associating certificate with the NCP server object... INFO: Server is already associated with a certificate.
4) Test to make sure the certificates are correctly functioning with whichever application being used.
1) Determine the exact DN's for the eDirectory KMO's with the following command from the server console:
* ldapsearch -x -H ldap[s]://<server>:<port> -W -b '<eDirectory context>' objectclass=ndspkikeymaterial dn
* An example of the results is shown below:
ldapsearch -x -H ldaps://server01:10636 -W -b 'o=services' objectclass=ndspkikeymaterial dn
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <o=services> with scope subtree
# filter: objectclass=ndspkikeymaterial
# requesting: dn
#
# SSL CertificateDNS - server01, services
dn: cn=SSL CertificateDNS - server01,o=services
# DNS AG server01.novell.com - server01, services
dn: cn=DNS AG server01.novell.com - server01,o=services
# SSL CertificateIP - server01, services
dn: cn=SSL CertificateIP - server01,o=services
# IP AG 192.168.0.220 - server01, services
dn: cn=IP AG 192.168.0.220 - server01,o=services
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 4
2) Create the ldif files used with the ldapmodify command to delete the expired eDirectory KMOs:
* Create an LDIF file with the following information. For example, call it delcert.ldif
dn: cn=SSL CertificateIP - server01,o=services
changetype: delete
dn: cn=SSL CertificateDNS -server01,o=services
changetype: delete
3) Execute the ldapmodify command from the server console against the LDIF file in order to delete the expired KMOs
* ldapmodify -x -H ldap[s]://<server>:<port> -D cn=<admin account> -W -f <LDIF filename>
ldapmodify -x -H ldaps://server01:10636 -D cn=admin,o=services -W -f /tmp/delcert.ldif
Enter LDAP Password:
deleting entry "cn=SSL CertificateIP - server01,o=services"
4) Create the new KMOs with the ndsconfig command and the following options:
* Execute the ndsconfig add -m sas from the server console:
server01:/tmp # ndsconfig add -m sas
[1] Instance at /etc/nds.conf: server01.O=services.Novell01-TREE
Enter admin name with context[admin.org]:admin.services
Enter the password for admin.services:
Configuring Novell eDirectory server with the following parameters, Please wait...
Tree Name : Novell01-TREE
Server DN : server01.O=services
Admin DN : admin.services
Module Name : sas
NCP Interface(s) : @524
Configuration File : /etc/nds.conf
Instance Location : /var/opt/novell/eDirectory/data
DIB Location : /var/nds/dib
Searching for the Tree "Novell01-TREE" in the network. Please wait...
Configuring SAS service... Done
Associating certificate with the NCP server object... INFO: Server is already associated with a certificate.
4) Test to make sure the certificates are correctly functioning with whichever application being used.