[Freeipa-users] Re: freeipa server + how to joining opensuse clients
Daniel Qarras
dqarras at yahoo.com
Wed Mar 25 20:55:11 UTC 2009
Hi!
> > > 1. Modify the following in the /etc/ldap.conf file:
> > >
> > > URI ldap://ipaserver.example.com
> > > BASE dc=example,dc=com
> > > HOST ipaserver.example.com
> > > TLS_CACERTDIR /etc/cacerts/
> > > TLS_REQCERT allow
> > >
> > > but these upper case options are described in ldap.conf(5)
> > > which is for OpenLDAP configuration file /etc/openldap/ldap.conf!
I inspected this a bit more and I suspect that this is just a quick copy/paste from Fedora Directory Server Guide's LDAP client section:
http://directory.fedoraproject.org/wiki/Howto:SSL#Configure_LDAP_clients
I think it would be beneficial to stress that this is to configure OpenLDAP command line utilities (e.g., ldapsearch(1)) to work against the IPA server. The following should do the this:
N. Modify the following in the /etc/openldap/ldap.conf file:
URI ldap://ipaserver.example.com/
BASE dc=example,dc=com
TLS_CACERTDIR /etc/cacerts/
TLS_REQCERT demand
I used "demand" as the next steps describe in detail how to export and install the CA certificate - if not "demand" then the whole exercise with the CA certificate becomes pretty pointless, IMHO. Of course, a quick comment about the difference between "demand" and "allow" would be useful alongside with a "ldapsearch -ZZ -Y GSSAPI uid=$USER" type tiny example.
But, as said, this was just for OpenLDAP tools and libs. I am not quite sure does ipa-client-install create PAM/LDAP configuration or not (at /etc/ldap.conf)? Or does it configure SSSD (nss_sss/pam_sss)? And is pam_ldap used with IPA or not?
Thanks!
More information about the Freeipa-users
mailing list