Changes

Jump to: navigation, search

OPS535-lab-ldap

477 bytes added, 15:50, 21 July 2023
m
Protected "OPS535-lab-ldap": OER transfer ([Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite))
<li>Install the openssl package</li>
<li>Run the following commands to create a self-signed TLS certificate for your server (make sure you replace the values with ones from your machine):
{{Admon/important|Warning|As you run these commands, read the output carefully. If you encounter any errors you must resolve them before continuing to the next command.}}
<source>
openssl genrsa -des3 -out ca.key 4096
openssl x509 -req -in vm1.pcallagh.ops.csr -CA ca.cert.pem -CAkey ca.key -out vm1.pcallagh.ops.crt -CAcreateserial -days 365 -sha256
</source></li>
<li>Copy the certificate, the private key, and the certificte authority file to an appropriate directory (make sure the directory and the files in it are owned by the ldap account with and that the directory has permissions set to 0700 and the files have 0600):
<source>cp ldap.pcallagh.ops.crt ldap.pcallagh.ops.key ca.cert.pem /etc/openldap/certs/</source></li>
<li>Write an ldif file to and add the following values to '''dn: cn=config ''' (again making sure to put in values from your own machine):
<source>
olcTLSCertificateFile: /etc/openldap/certs/vm1.pcallagh.ops.crt
olcTLSCertificateKeyFile: /etc/openldap/certs/vm1.pcallagh.ops.key
olcTLSCACertificateFile: /etc/openldap/certs/ca.cert.pem
</source>{{Admon/important|Warning|Read the output of the ldapmodify command carefully. If you encounter any errors you must resolve them before continuing to the next command.}}</li>
<li>You can use slapcat to ensure they are set correctly:
<source>slapcat -b "cn=config" | egrep "Certificate(Key)?File"</source></li>
<li>Set TLSCACERTDIR to the directory your certificate authority file is in (e.g. /etc/openldap/certs).</li></ul></li>
<li>Update your firewall to permanently allow ldaps instead of ldap.</li>
<li>Double check that you can still use ldapsearch before continuing to the next investigation.</li>
</ol>
==Investigation 3: Setup and Configure OpenLdap Client Through SSSD - UNDER CONSTRUCTION==
Perform the following steps on vm2:
<ol>
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = '<The Base DN from your ldap server'>
id_provider = ldap
auth_provider = ldap
<source>uid=1002(ldapuser1) gid=1002(ldapuser1) groups=1002(ldapuser1)</source>
</li>
<li>If you want to be able to use commands like ldapsearch from this machine, you will also need to configure ldap in /etc/openldap./ldap.conf. This configuration file should already exist, you just need to modify the parameters to identify the LDAP server and location of its certificate.
<ul>
<li>BASE <base DC from your ldap server></li>

Navigation menu