On Fri, 2009-09-04 at 14:34 +0200, Kenneth Holter wrote: > Hi all. > > > I'm setting up Red Hat Directory Server (RHDS) 8.1 at work, and would > like to have our LDAP clients use StartTLS when communicating with the > RHDS. I've searched the documentation, but can't seems to find any > documentation on exactly _how_ to set the RHDS and the clients to > allow StartTLS. I'm sure I've seen it somewhere in the documentation > earlier, but now it's gone. Can anyone point me to relevant > documentation, either in the Fedora/RHDS manuals or on the web? I > believe the /etc/ldap.conf file on the clients should have a line that > says "ssl start_tls", but I'm definately not sure. > <snip> > Assuming you've already configured your LDAP servers for TLS communication, here is an expunged excerpt from our internal documentation on how we set it up. You will need to adapt it to your needs, of course, e.g., we do not allow anonymous binds and hence must define binddn and bindpw: Now that we have defined the users, we need to install and configure the LDAP client and related modules for all installed servers. We will start with server01. First copy the CA cert (MyCA.pem) into /etc/pki/tls/certs/ and ensure it is world readable. Then: yum install nscd nss_ldap authconfig authconfig --update --enableldap --enableldapauth --disablenis --enablecache --ldapserver=ldap.mycompany.com --ldapbasedn=dc=mycompany,dc=com --enableldaptls We must edit the resultant /etc/ldap.conf file as follows: binddn <some user with search rights> bindpw <searcher password> rootbinddn <the admin DN> (we will not set this for the guests) tls_cacertfile /etc/pki/tls/certs/MyCA.pem (toward the bottom) uri ldap://ldap.mycompany.com/ ssl start_tls pam_password md5 tls_checkpeer yes comment out tls_certdir Create the /etc/ldap.secret file containing the passphrase and set it rw for root only (chmod 600 /etc/ldap.secret). Edit /etc/nscd.conf to change the group positive cache limit (positive-time-to-live) to 600 seconds from the default 3600. Otherwise, group changes may take up to an hour to propagate. Edit /etc/pam.d/system-auth by changing: password sufficient pam_unix.so shadow nullok try_first_pass use_authtok to password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok (addition of md5) lest we only use the first eight characters of any password. It looks like this is the new default setting so no need to change it. Hope this helps to get you started - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@xxxxxxxxxxxxxxxxxxx http://www.spiritualoutreach.com Making Christianity intelligible to secular society -- 389 users mailing list 389-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
