932
edits
Changes
m
→Investigation 2: Modifying OpenLDAP Server Configuration to use TLS: - Added some warnings
<li>Install the openssl package</li>
<li>Run the following commands to create a self-signed TLS certificate for your server (make sure you replace the values with ones from your machine):
{{Admon/important|Warning|As you run these commands, read the output carefully. If you encounter any errors you must resolve them before continuing to the next command.}}
<source>
openssl genrsa -des3 -out ca.key 4096
openssl x509 -req -in vm1.pcallagh.ops.csr -CA ca.cert.pem -CAkey ca.key -out vm1.pcallagh.ops.crt -CAcreateserial -days 365 -sha256
</source></li>
<li>Copy the certificate, the private key, and the certificte authority file to an appropriate directory (make sure the directory and the files in it is are owned by the ldap accountand that the directory has permissions set to 0700 and the files have 0600):
<source>cp ldap.pcallagh.ops.crt ldap.pcallagh.ops.key ca.cert.pem /etc/openldap/certs/</source></li>
<li>Write an ldif file to and add the following values to '''dn: cn=config ''' (again making sure to put in values from your own machine):
<source>
olcTLSCertificateFile: /etc/openldap/certs/vm1.pcallagh.ops.crt
olcTLSCertificateKeyFile: /etc/openldap/certs/vm1.pcallagh.ops.key
olcTLSCACertificateFile: /etc/openldap/certs/ca.cert.pem
</source>{{Admon/important|Warning|Read the output of the ldapmodify command carefully. If you encounter any errors you must resolve them before continuing to the next command.}}</li>
<li>You can use slapcat to ensure they are set correctly:
<source>slapcat -b "cn=config" | egrep "Certificate(Key)?File"</source></li>
<li>Set TLSCACERTDIR to the directory your certificate authority file is in (e.g. /etc/openldap/certs).</li></ul></li>
<li>Update your firewall to permanently allow ldaps instead of ldap.</li>
<li>Double check that you can still use ldapsearch before continuing to the next investigation.</li>
</ol>
==Investigation 3: Setup and Configure OpenLdap Client Through SSSD - UNDER CONSTRUCTION==
Perform the following steps on vm2:
<ol>
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = '<The Base DN from your ldap server'>
id_provider = ldap
auth_provider = ldap
