[CentOS] CentOS7: Setting up ldap over TLS in kickstart file

Thu Jun 14 23:21:09 UTC 2018
Gordon Messmer <gordon.messmer at gmail.com>

On 06/14/2018 01:01 AM, Patrick Begou wrote:
> In my kickstart file I use:
> auth  --useshadow --enableldaptls --enablecache  --passalgo=sha512 
> --enableldap --enableldapauth --ldapserver="ldaps://my.ldap.server.fr" 
> --ldapbasedn=dc=my,dc=base,dc=dn
>
> Then in a post install script I download the server and ca 
> certificates and stops nslcd that I do not use:

You probably can avoid setting up nslcd in the first place:

auth  --useshadow --passalgo=sha512 --enablesssd --enablesssdauth 
--enableldap --ldapserver="ldaps://my.ldap.server.fr" 
--ldapbasedn=dc=my,dc=base,dc=dn


> echo "TLS_REQCERT allow">>/etc/openldap/ldap.conf
> cd /etc/openldap/cacerts/ && wget 
> http://xxx.xxx.xxx.xxx/Softwares7/LDAPCERTS/ca-bundle.crt && ln -s 
> ca-bundle.crt $(openssl x509 -hash -in ca-bundle.crt -noout).0
> cd /etc/openldap/certs/ && wget 
> http://xxx.xxx.xxx.xxx/Softwares7/LDAPCERTS/server.crt

See the man page for update-ca-trust.

I *think* you need to do something more like:

cd /etc/pki/ca-trust/source/anchors/
wget http://xxx.xxx.xxx.xxx/Softwares7/LDAPCERTS/ca-bundle.crt
update-ca-trust extract

...you shouldn't have to do anything with the server's cert specifically.