[CentOS] CentOS7: Setting up ldap over TLS in kickstart file

Thu Jun 14 08:01:14 UTC 2018
Patrick Begou <Patrick.Begou at legi.grenoble-inp.fr>


I'm facing a problem with setting up LDAP+TLS client authentication in a 
kickstart script on CentOS7 for several days.

Setting up manualy the config with system-config-authentication works but I need 
to automate this in kickstart for deploying cluster nodes.
This show that the server side is running fine.

At this time the message is

#systemctl status sssd

sssd[be[default]][2732]: Could not start TLS encryption. error:14090086:SSL 
routines:ssl3_get_server_certificate:certificate verify failed (self signed 

In my kickstart file I use:
auth  --useshadow --enableldaptls --enablecache  --passalgo=sha512 --enableldap 
--enableldapauth --ldapserver="ldaps://my.ldap.server.fr" 

Then in a post install script I download the server and ca certificates and 
stops nslcd that I do not use:

echo "TLS_REQCERT allow">>/etc/openldap/ldap.conf
cd /etc/openldap/cacerts/ && wget 
http://xxx.xxx.xxx.xxx/Softwares7/LDAPCERTS/ca-bundle.crt && ln -s ca-bundle.crt 
$(openssl x509 -hash -in ca-bundle.crt -noout).0
cd /etc/openldap/certs/ && wget 
cd /
systemctl disable nslcd

I'm unable to see what system-config-authentication is doing more in it's setup.

Thanks for your help



|  Equipe M.O.S.T.         |                                      |
|  Patrick BEGOU           | mailto:Patrick.Begou at grenoble-inp.fr |
|  LEGI                    |                                      |
|  BP 53 X                 | Tel 04 76 82 51 35                   |
|  38041 GRENOBLE CEDEX    | Fax 04 76 82 52 71                   |