Ben's notes

Linux, Unix, network, radio...

User Tools

Site Tools


openldap_client_with_tls_centos_6.5

CentOS 6 - OpenLDAP 2.4 client with TLS

Install packages

yum install pam_ldap nss-pam-ldapd sssd openldap-clients

Configure OpenLDAP client

Import CA root certificate

mkdir -p /etc/openldap/cacerts
cp caroot.crt /etc/openldap/cacerts/

Authconfig

authconfig-tui
[*] Use LDAP
[*] Use Shadow passwords
[*] Use LDAP Authentication
[*] Local authorization is sufficient

[*] Use TLS
Server: ldaps://<your server FQDN:636>
Base DN: <your DN>

Configure ldap.conf

vi /etc/openldap/ldap.conf

URI ldaps://<yourserver FQDN>:636/
BASE <your DN>
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow

Configure pam_ldap

vi /etc/pam_ldap.conf

base <your DN> 
uri ldaps://<yourserver>:636/
pam_password exop 
ssl start_tls
tls_cacertdir /etc/openldap/cacerts

Configure sssd.conf

vi /etc/sssd/sssd.conf
  
!Configure FQDN server names!
ldap_chpass_uri = ldaps://<your ldap server FQDN>

[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd

Test

service sssd restart
See if symlink exists in /etc/openldap/cacerts
ldapsearch -x -b "dc=<your DN>"

getent passwd <username>
getent group <groupname>
id -a <username>

Clear the SSSD cache

You can clear the passwd/group cache with

sss_cache -U -G
openldap_client_with_tls_centos_6.5.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1