On Tue, 24 May 2011, David Mehler wrote:
Having got this far if anyone with a working ldap authentication system could give my config a sanity check let me know. My goal now is to get tls encryption going so that usernames and passwords aren't sent in the clear. I'm using self-signed certificates for now.
This /etc/ldap.conf works well for me on CentOS 5:
----- %< ----- # failover doesn't work using the newer 'uri' directive. # can go to ldap1; use ldap2 for backup host ldap1.domain.com ldap2.domain.com port 389 base dc=domain,dc=com
# encrypt queries over the wire; our servers require it ssl start_tls tls_checkpeer yes tls_cacertdir /etc/openldap/cacerts
# set time limits fairly low to get benefit of failover bind_timelimit 30 idle_timelimit 120 timelimit 30
# a stock centos/rhel directive; its utility is murky to me nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman ----- %< -----
Prior to switching to LDAP, I download the CA certificate used to sign the ldap1 and ldap2 server certs and hash it for OpenSSL. I typically do it via the %post section in kickstart:
curl http://www.domain.com/ca/ca.domain.com.crt \ -s -o /etc/openldap/cacerts/ca.domain.com.pem
/usr/sbin/cacertdir_rehash /etc/openldap/cacerts