Hi,
I'm facing a problem with setting up LDAP+TLS client authentication in a
kickstart script on CentOS7 for several days.
Setting up manualy the config with system-config-authentication works but I need
to automate this in kickstart for deploying cluster nodes.
This show that the server side is running fine.
At this time the message is
#systemctl status sssd
|....
sssd[be[default]][2732]: Could not start TLS encryption. error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed (self signed
certificate)|
In my kickstart file I use:
auth --useshadow --enableldaptls --enablecache --passalgo=sha512 --enableldap
--enableldapauth --ldapserver="ldaps://my.ldap.server.fr"
--ldapbasedn=dc=my,dc=base,dc=dn
Then in a post install script I download the server and ca certificates and
stops nslcd that I do not use:
echo "TLS_REQCERT allow">>/etc/openldap/ldap.conf
cd /etc/openldap/cacerts/ && wget
http://xxx.xxx.xxx.xxx/Softwares7/LDAPCERTS/ca-bundle.crt && ln -s ca-bundle.crt
$(openssl x509 -hash -in ca-bundle.crt -noout).0
cd /etc/openldap/certs/ && wget
http://xxx.xxx.xxx.xxx/Softwares7/LDAPCERTS/server.crt
cd /
systemctl disable nslcd
I'm unable to see what system-config-authentication is doing more in it's setup.
Thanks for your help
Patrick
||||
||
--
===================================================================
| Equipe M.O.S.T. | |
| Patrick BEGOU | mailto:Patrick.Begou@xxxxxxxxxxxxxxx |
| LEGI | |
| BP 53 X | Tel 04 76 82 51 35 |
| 38041 GRENOBLE CEDEX | Fax 04 76 82 52 71 |
===================================================================
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
