Ben's notes

Linux, Unix, network, radio...

User Tools

Site Tools

Trace:
openldap_consumer

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
openldap_consumer [2015/09/14 13:07] – [Configure replication] adminopenldap_consumer [2015/09/21 08:46] – [TLS Certificate] admin
Line 4: Line 4:
 =====CentOS 7 - OpenLDAP 2.4 consumer (slave)===== =====CentOS 7 - OpenLDAP 2.4 consumer (slave)=====
 ====Install SSSd client==== ====Install SSSd client====
-  * [[ldap:centos7client|Configure this consumer as client first.]]+  * [[ldap:centos7client|First, configure this consumer as client.]]
 ====TLS Certificate==== ====TLS Certificate====
   * Create a certificate and sign with CA, valid for 3 years. **You probably need to perform this step on the LDAP provider or CA system**:<code># certutil -S -n 'OpenLDAP Consumer' -t ",," \   * Create a certificate and sign with CA, valid for 3 years. **You probably need to perform this step on the LDAP provider or CA system**:<code># certutil -S -n 'OpenLDAP Consumer' -t ",," \
Line 27: Line 27:
 Enter password for PKCS12 file:  Enter password for PKCS12 file: 
 pk12util: PKCS12 IMPORT SUCCESSFUL</code> pk12util: PKCS12 IMPORT SUCCESSFUL</code>
-  * Import the CA certificate:<code># certutil -A -n "LDAP-CA" -t "TCu,Cu,Cu" -i /tmp/ca.crt -d /etc/openldap/certs -f /etc/openldap/certs/password</code>+  * Import the CA certificate:<code># certutil -A -n "LDAP-CA" -t "TCu,Cu,Cu" -i /tmp/ca.crt -d /etc/openldap/certs</code>
   * Modify rights so that LDAP can read the NSS database:<code># chmod 440 /etc/openldap/certs/password   * Modify rights so that LDAP can read the NSS database:<code># chmod 440 /etc/openldap/certs/password
 # chown ldap. /etc/openldap/certs/*</code> # chown ldap. /etc/openldap/certs/*</code>
Line 105: Line 105:
 add: olcRootPW add: olcRootPW
 olcRootPW: ${MYHASH} olcRootPW: ${MYHASH}
 +EOF
 +</code>
 +  * **olcDatabase={2}hdb**: configure indexing:<code># ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF
 +dn: olcDatabase={2}hdb,cn=config
 +changetype: modify
 +replace: olcDbIndex
 +olcDbIndex: objectClass eq,pres
 +olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
 +olcDbIndex: uid,memberUid,gidNumber eq
 +-
 EOF EOF
 </code> </code>
Line 143: Line 153:
 EOF EOF
 </code> </code>
- 
 ====Open firewall port==== ====Open firewall port====
   * Open port 636:<code># firewall-cmd --permanent --zone public --add-service=ldaps   * Open port 636:<code># firewall-cmd --permanent --zone public --add-service=ldaps
Line 224: Line 233:
 EOF EOF
 </code> </code>
 +
 +====Monitor replication state====
 +  * contextCSN needs to be the same on provider and consumer:<code>
 +# ldapsearch -H ldaps://provider -x -D "cn=Manager,dc=<basedn>" -w <passwd> -s base contextcsn | grep contextCSN
 +# ldapsearch -H ldaps://consumer -x -D "cn=Manager,dc=<basedn>" -w <passwd> -s base contextcsn | grep contextCSN</code>
openldap_consumer.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1