[CentOS] securing ldap with tls and security
Paul Heinlein
heinlein at madboa.com
Tue May 24 21:12:51 UTC 2011
On Tue, 24 May 2011, David Mehler wrote:
> Having got this far if anyone with a working ldap authentication
> system could give my config a sanity check let me know. My goal now
> is to get tls encryption going so that usernames and passwords
> aren't sent in the clear. I'm using self-signed certificates for
> now.
This /etc/ldap.conf works well for me on CentOS 5:
----- %< -----
# failover doesn't work using the newer 'uri' directive.
# can go to ldap1; use ldap2 for backup
host ldap1.domain.com ldap2.domain.com
port 389
base dc=domain,dc=com
# encrypt queries over the wire; our servers require it
ssl start_tls
tls_checkpeer yes
tls_cacertdir /etc/openldap/cacerts
# set time limits fairly low to get benefit of failover
bind_timelimit 30
idle_timelimit 120
timelimit 30
# a stock centos/rhel directive; its utility is murky to me
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
----- %< -----
Prior to switching to LDAP, I download the CA certificate used to sign
the ldap1 and ldap2 server certs and hash it for OpenSSL. I typically
do it via the %post section in kickstart:
curl http://www.domain.com/ca/ca.domain.com.crt \
-s -o /etc/openldap/cacerts/ca.domain.com.pem
/usr/sbin/cacertdir_rehash /etc/openldap/cacerts
--
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/
More information about the CentOS
mailing list