[389-users] Configuring StartTLS

John A. Sullivan III jsullivan at opensourcedevel.com
Fri Sep 4 13:45:23 UTC 2009 

On Fri, 2009-09-04 at 14:34 +0200, Kenneth Holter wrote:
> Hi all.
>  
>  
> I'm setting up Red Hat Directory Server (RHDS) 8.1 at work, and would
> like to have our LDAP clients use StartTLS when communicating with the
> RHDS. I've searched the documentation, but can't seems to find any
> documentation on exactly _how_ to set the RHDS and the clients to
> allow StartTLS. I'm sure I've seen it somewhere in the documentation
> earlier, but now it's gone. Can anyone point me to relevant
> documentation, either in the Fedora/RHDS manuals or on the web? I
> believe the /etc/ldap.conf file on the clients should have a line that
> says "ssl start_tls", but I'm definately not sure. 
>  <snip>
> 
Assuming you've already configured your LDAP servers for TLS
communication, here is an expunged excerpt from our internal
documentation on how we set it up.  You will need to adapt it to your
needs, of course, e.g., we do not allow anonymous binds and hence must
define binddn and bindpw:

Now that we have defined the users, we need to install and configure the
LDAP client and related modules for all installed servers.  We will
start with server01.  First copy the CA cert (MyCA.pem)
into /etc/pki/tls/certs/ and ensure it is world readable.  Then:
yum install  nscd nss_ldap authconfig
authconfig --update --enableldap --enableldapauth --disablenis
--enablecache --ldapserver=ldap.mycompany.com
--ldapbasedn=dc=mycompany,dc=com --enableldaptls 
We must edit the resultant /etc/ldap.conf file as follows:
binddn <some user with search rights>
bindpw <searcher password>
rootbinddn <the admin DN> (we will not set this for the guests)
tls_cacertfile /etc/pki/tls/certs/MyCA.pem (toward the bottom)
uri ldap://ldap.mycompany.com/
ssl start_tls
pam_password md5
tls_checkpeer yes
comment out tls_certdir

Create the /etc/ldap.secret file containing the passphrase and set it rw
for root only (chmod 600 /etc/ldap.secret).
Edit /etc/nscd.conf to change the group positive cache limit
(positive-time-to-live) to 600 seconds from the default 3600.
Otherwise, group changes may take up to an hour to propagate. 
Edit /etc/pam.d/system-auth by changing:
password    sufficient    pam_unix.so shadow nullok try_first_pass
use_authtok
to
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
(addition of md5) lest we only use the first eight characters of any
password.  It looks like this is the new default setting so no need to
change it.


Hope this helps to get you started - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

More information about the Fedora-directory-users mailing list