How to use command line options to delete and recreate eDirectory certificates on Linux

  • 7006968
  • 30-Sep-2010
  • 26-Apr-2012

Environment

Novell eDirectory 8.8 for Linux
Novell eDirectory 8.7.3 for Linux

Situation

There may be situations when the eDirectory SSL KMOs (certificates) are expired, and you are not able to use standard tools such as ConsoleOne or iManager to delete and recreate the KMOs.

One example of such a situation is with ZLM on SLES, where the product does not ship with ConsoleOne or iManager, and for some reason, the organization may not be able to install these products on the server.

In this case, command line tools can be used to delete the expired certificates and to recreate them.

Resolution

The tools to accomplish this are LDAP and ndsconfig.

1) Determine the exact DN's for the eDirectory KMO's with the following command from the server console:

*    ldapsearch -x -H ldap[s]://<server>:<port> -W -b '<eDirectory context>' objectclass=ndspkikeymaterial dn

    *    An example of the results is shown below:

                ldapsearch -x -H ldaps://server01:10636 -W -b 'o=services' objectclass=ndspkikeymaterial dn
                Enter LDAP Password:
                # extended LDIF
                #
                # LDAPv3
                # base <o=services> with scope subtree
                # filter: objectclass=ndspkikeymaterial
                # requesting: dn
                #
                 
                # SSL CertificateDNS - server01, services
                dn: cn=SSL CertificateDNS - server01,o=services
                 
                # DNS AG server01.novell.com - server01, services
                dn: cn=DNS AG server01.novell.com - server01,o=services
                 
                # SSL CertificateIP - server01, services
                dn: cn=SSL CertificateIP - server01,o=services
                 
                # IP AG 192.168.0.220 - server01, services
                dn: cn=IP AG 192.168.0.220 - server01,o=services
                 
                # search result
                search: 2
                result: 0 Success
                 
                # numResponses: 5
                # numEntries: 4
               

2) Create the ldif files used with the ldapmodify command to delete the expired eDirectory KMOs:
   
*    Create an LDIF file with the following information. For example, call it delcert.ldif

                dn: cn=SSL CertificateIP - server01,o=services
                changetype: delete

                dn: cn=SSL CertificateDNS -server01,o=services
                changetype: delete

  
3)    Execute the ldapmodify command from the server console against the LDIF file in order to delete the expired KMOs

    *    ldapmodify -x -H ldap[s]://<server>:<port> -D cn=<admin account> -W -f <LDIF filename>

                ldapmodify -x -H ldaps://server01:10636 -D cn=admin,o=services -W -f /tmp/delcert.ldif
                Enter LDAP Password:
                deleting entry "cn=SSL CertificateIP - server01,o=services"

4) Create the new KMOs with the ndsconfig command and the following options:


    *    Execute the ndsconfig add -m sas from the server console:

                server01:/tmp # ndsconfig add -m sas
                 
                [1] Instance at /etc/nds.conf:  server01.O=services.Novell01-TREE
                Enter admin name with context[admin.org]:admin.services
                Enter the password for admin.services:
                 
                Configuring Novell eDirectory server with the following parameters, Please wait...
                  Tree Name             : Novell01-TREE
                  Server DN             : server01.O=services
                  Admin DN              : admin.services
                  Module Name           : sas
                  NCP Interface(s)      : @524
                 
                  Configuration File    : /etc/nds.conf
                  Instance Location     : /var/opt/novell/eDirectory/data
                  DIB Location          : /var/nds/dib
                 
                Searching for the Tree "Novell01-TREE" in the network. Please wait...
                 
                Configuring SAS service... Done
Associating certificate with the NCP server object... INFO: Server is already associated with a certificate.
 
4) Test to make sure the certificates are correctly functioning with whichever application being used.