932
edits
Changes
m
→Investigation 2: Modifying OpenLDAP Server Configuration to use TLS: - Added some warnings
<li>Install the openssl package</li>
<li>Run the following commands to create a self-signed TLS certificate for your server (make sure you replace the values with ones from your machine):
{{Admon/important|Warning|As you run these commands, read the output carefully. If you encounter any errors you must resolve them before continuing to the next command.}}
<source>
openssl genrsa -des3 -out ca.key 4096
openssl x509 -req -in vm1.pcallagh.ops.csr -CA ca.cert.pem -CAkey ca.key -out vm1.pcallagh.ops.crt -CAcreateserial -days 365 -sha256
</source></li>
<li>Copy the certificate, the private key, and the certificte authority file to an appropriate directory (make sure the directory and the files in it is are owned by the ldap accountand that the directory has permissions set to 0700 and the files have 0600):
<source>cp ldap.pcallagh.ops.crt ldap.pcallagh.ops.key ca.cert.pem /etc/openldap/certs/</source></li>
<li>Write an ldif file to and add the following values to '''dn: cn=config ''' (again making sure to put in values from your own machine):
<source>
olcTLSCertificateFile: /etc/openldap/certs/vm1.pcallagh.ops.crt
olcTLSCertificateKeyFile: /etc/openldap/certs/vm1.pcallagh.ops.key
olcTLSCACertificateFile: /etc/openldap/certs/ca.cert.pem
</source>{{Admon/important|Warning|Read the output of the ldapmodify command carefully. If you encounter any errors you must resolve them before continuing to the next command.}}</li>
<li>You can use slapcat to ensure they are set correctly:
<source>slapcat -b "cn=config" | egrep "Certificate(Key)?File"</source></li>
<li>Set TLSCACERTDIR to the directory your certificate authority file is in (e.g. /etc/openldap/certs).</li></ul></li>
<li>Update your firewall to permanently allow ldaps instead of ldap.</li>
<li>Double check that you can still use ldapsearch before continuing to the next investigation.</li>
</ol>
==Investigation 3: Setup and Configure OpenLdap Client Through SSSD - UNDER CONSTRUCTION==
Perform the following steps on vm2:
<ol>
<li>If you would like to actually log into the client machines as an ldap user, you need to reconfigure the way the system authentication processes your login. To do this, you will use the authselect tool on the client machine.<br />
Note: the ldap user does not have home directory on the client unless you provide it via NFS.</li>
<li>Copy the server's signed certificate onot onto the client:*openssl s_client -connect <hostname or ip address of your ldap.pcallagh.opsserver>:636 -showcerts < /dev/null | openssl x509 -text > /etc/openldap/certs/cacert.crt</li>
<li>Set up the SSSD service to use ldap for authentication.
<ul><li>Start by adding the following settings to /etc/sssd/sssd.conf<br />
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = '<The Base DN from your ldap server'>
id_provider = ldap
auth_provider = ldap
