Scientific Linux 6
Sponsored Link

LDAP over TLS
2011/03/19
  Use LDAP over TLS and make connection be secure.

[1] Create SSL certificate first. See here.

[2] Configure LDAP server
[root@master ~]#
cp /etc/pki/tls/certs/server.* /etc/openldap/cacerts/

[root@master ~]#
chown ldap. /etc/openldap/cacerts/*

[root@master ~]#
ldapmodify -Y EXTERNAL -H ldapi:///

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# input like follows

dn: cn=config
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/cacerts/server.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/cacerts/server.key 
# push "Ctrl+D" key to quit


[root@master ~]#
vi /etc/sysconfig/ldap


# line 20: change

SLAPD_LDAPS=
yes


[root@master ~]#
/etc/rc.d/init.d/slapd restart

Stopping slapd:
[  OK  ]

Starting slapd:
[  OK  ]

[3] Configure on Client
[root@www ~]#
vi /etc/openldap/ldap.conf


# add at the last line

URI ldaps://10.0.0.100/
BASE dc=srv,dc=world
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow


[root@www ~]#
vi /etc/nslcd.conf


# line 133: change like follows

#
ssl no
tls_cacertdir /etc/openldap/cacertsa
ssl start_tls
tls_reqcert allow


[root@www ~]#
vi /etc/pam_ldap.conf


# line 291: change

#
ssl no
tls_cacertdir /etc/openldap/cacerts
ssl start_tls
tls_reqcert allow
[root@www ~]#
shutdown -r now


www.srv.world login: fedora
Password:
Last login: Sun Mar 20 03:35:28 on ttyS0
[fedora@www ~]$
# logined

 
Tweet