LDAP over TLS
2011/03/19 |
Use LDAP over TLS and make connection be secure. |
|
[1] | Create SSL certificate first. See here. |
[2] | Configure LDAP server |
[root@master ~]# cp /etc/pki/tls/certs/server.* /etc/openldap/cacerts/ [root@master ~]# chown ldap. /etc/openldap/cacerts/* [root@master ~]# ldapmodify -Y EXTERNAL -H ldapi:/// SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # input like follows dn: cn=config add: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/cacerts/server.crt - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/cacerts/server.key # push "Ctrl+D" key to quit [root@master ~]# vi /etc/sysconfig/ldap # line 20: change SLAPD_LDAPS= yes [root@master ~]# /etc/rc.d/init.d/slapd restart Stopping slapd: [ OK ] Starting slapd: [ OK ] |
[3] | Configure on Client |
[root@www ~]# vi /etc/openldap/ldap.conf # add at the last line URI ldaps://10.0.0.100/ BASE dc=srv,dc=world TLS_CACERTDIR /etc/openldap/cacerts TLS_REQCERT allow [root@www ~]# vi /etc/nslcd.conf # line 133: change like follows # ssl notls_cacertdir /etc/openldap/cacertsa
ssl start_tls tls_reqcert allow [root@www ~]# vi /etc/pam_ldap.conf # line 291: change # ssl notls_cacertdir /etc/openldap/cacerts
ssl start_tls
tls_reqcert allow shutdown -r now www.srv.world login: fedora Password: Last login: Sun Mar 20 03:35:28 on ttyS0 [fedora@www ~]$ # logined |