[CentOS] LDAP useradd command?

Eric B. ebenze at hotmail.com
Tue Aug 18 20:13:12 UTC 2009

"Filipe Brandenburger" <filbranden at gmail.com> 
wrote in message 
news:e814db780908181007g454b680ar30aaaef7ab19a3b at mail.gmail.com...
> Hi,
> On Tue, Aug 18, 2009 at 12:50, Eric 
> B.<ebenze at hotmail.com> wrote:
>> Any suggetsions / ideas?
> I believe you have to copy the certificate to /etc/openldap/cacerts/
> in the LDAP client. The certificate file name there is special, it
> should be hashed from the certificate data... I believe the easiest
> way to install it there is using the "authconfig" command and
> specifying the certificate URL.
> You should also have TLS_CACERTDIR /etc/openldap/cacerts on
> /etc/openldap/ldap.conf (not only /etc/ldap.conf, they are different!)
> I also did not have much luck with self-signed certificates with LDAP,
> I had to create a self-signed certificate for a "dummy" CA, and then
> use that certificate to sign a certificate for the LDAP server with
> the server's name as a cn.
> I believe you should be able to test it using "ldapsearch" with the
> "-Z" and "-ZZ" options in order to require TLS and see if that works.
> I suggest you first get that part working fine before going on with
> your libuser configuration...
> LDAP with TLS is kind of a pain to set up... but once it is running it
> really works OK.

Thanks.  You're a genius.  I struggled a lot, but think I finally managed to 
get something working.  I tried to follow the openldap faq at 
http://www.openldap.org/faq/data/cache/185.html for creating CA 
certificates, but my shell script is called CA not CA.sh.

I've done the following:
# cd /etc/pki/tls/misc/
# ./CA -newca
(filled in all prompted information, and gave it a pwd)
# openssl req -new -nodes -keyout newreq.pem -out newreq.pem
(filled in all prompted information)
# CA.sh -sign
# cp /etc/pki/CA/cacert.pem /etc/openssl/cacerts/
# cp newcert.pem /etc/openssl/ssl/servercrt.pem
# cp newreq.pem /etc/openssl/ssl/serverkey.pem

Then updated my slapd.conf to show:
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/ssl/servercrt.pem
TLSCertificateKeyFile /etc/openldap/ssl/serverkey.pem

Then updated /etc/ldap.conf to show:
tls_cacert /etc/openldap/cacerts/cacert.pem

Finally /etc/openssl/ldap.conf:
TLS_CACERT /etc/openldap/cacerts/cacert.pem

Restart the slapd daemon
# service ldap restart

And I can finally get ldapsearch to work.  Although I tried tls_cacertdir 
for both /etc/ldap.conf and /etc/openldap/ldap.conf and it doesn't work for 
some odd reason.  Not sure why.

# ldapsearch -Z -x "(uid=eric)"
<returns the ldif entry for uid=eric>

So next test was to create a new user.  luseradd foo works perfect.  I find 
it in my ldap tree as expected.  All I had to do is modify the 
create_modules and modules to specify ldap only (to avoid it modifying the 
passwd and shadow files), and everything seems to be working.

Thanks for your help!


More information about the CentOS mailing list