Re: securing ldap with tls and security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Tue, 24 May 2011, David Mehler wrote:

> Having got this far if anyone with a working ldap authentication 
> system could give my config a sanity check let me know. My goal now 
> is to get tls encryption going so that usernames and passwords 
> aren't sent in the clear. I'm using self-signed certificates for 
> now.

This /etc/ldap.conf works well for me on CentOS 5:

----- %< -----
# failover doesn't work using the newer 'uri' directive.
# can go to ldap1; use ldap2 for backup
host ldap1.domain.com ldap2.domain.com
port 389
base dc=domain,dc=com

# encrypt queries over the wire; our servers require it
ssl start_tls
tls_checkpeer yes
tls_cacertdir /etc/openldap/cacerts

# set time limits fairly low to get benefit of failover
bind_timelimit 30
idle_timelimit 120
timelimit 30

# a stock centos/rhel directive; its utility is murky to me
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
----- %< -----

Prior to switching to LDAP, I download the CA certificate used to sign 
the ldap1 and ldap2 server certs and hash it for OpenSSL. I typically 
do it via the %post section in kickstart:

   curl http://www.domain.com/ca/ca.domain.com.crt \
      -s -o /etc/openldap/cacerts/ca.domain.com.pem

   /usr/sbin/cacertdir_rehash /etc/openldap/cacerts

-- 
Paul Heinlein <> heinlein@xxxxxxxxxx <> http://www.madboa.com/
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux