On Thu, 21 Feb 2013, Götz Reinicke - IT Koordinator wrote:
Dose anybody has a working example file to share with me?
Sure.
----- %< -----
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = blah.com
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/blah.com]
auth_provider = ldap
cache_credentials = True
chpass_provider = ldap
debug_level = 3
entry_cache_timeout = 600
id_provider = ldap
ldap_id_use_start_tls = True
ldap_purge_cache_timeout = 0
ldap_search_base = dc=blah,dc=com
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_reqcert = demand
ldap_uri = _srv_
----- %< -----
A few notes:
Our DNS servers are configured with SRV records for our LDAP server,
hence the _srv_ token in the ldap_uri directive, e.g.,
[bash]$ dig +nocmd _ldap._tcp.blah.com -t srv +noall +answer
_ldap._tcp.blah.com. 3600 IN SRV 1 0 389 ldap-1.blah.com.
_ldap._tcp.blah.com. 3600 IN SRV 0 0 389 ldap-2.blah.com.
Second, we use a local certificate authority to issue and sign
internal-use certificates. The CA cert is installed in
/etc/openldap/cacerts and cacertdir_rehash is run against it. In fact,
we do that at kickstart time, e.g.,
%post
# import CA certificate and rehash it for LDAP/TLS
curl http://www.blah.com/ca/ca.blah.com.pem \
-s -o /etc/openldap/cacerts/ca.blah.com.pem
/usr/sbin/cacertdir_rehash /etc/openldap/cacerts
--
Paul Heinlein
heinlein@xxxxxxxxxx
45°38' N, 122°6' W_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
