[Freeipa-users] Re: freeipa server + how to joining opensuse clients

Daniel Qarras dqarras at yahoo.com
Sun Mar 29 13:28:45 UTC 2009 

Hi!

> I inspected this a bit more and I suspect that this is just
> a quick copy/paste from Fedora Directory Server Guide's LDAP
> client section:
> 
> http://directory.fedoraproject.org/wiki/Howto:SSL#Configure_LDAP_clients
> 
> I think it would be beneficial to stress that this is to
> configure OpenLDAP command line utilities (e.g.,
> ldapsearch(1)) to work against the IPA server. The following
> should do the this:
> 
> 
> N. Modify the following in the /etc/openldap/ldap.conf
> file:
> 
>  URI ldap://ipaserver.example.com/
>  BASE dc=example,dc=com
>  TLS_CACERTDIR /etc/cacerts/
>  TLS_REQCERT demand
> 
> 
> I used "demand" as the next steps describe in detail how to
> export and install the CA certificate - if not "demand" then
> the whole exercise with the CA certificate becomes pretty
> pointless, IMHO. Of course, a quick comment about the
> difference between "demand" and "allow" would be useful
> alongside with a "ldapsearch -ZZ -Y GSSAPI uid=$USER" type
> tiny example.
> 
> 
> But, as said, this was just for OpenLDAP tools and libs. I
> am not quite sure does ipa-client-install create PAM/LDAP
> configuration or not (at /etc/ldap.conf)? Or does it
> configure SSSD (nss_sss/pam_sss)? And is pam_ldap used with
> IPA or not?

Continuing my monologue here, I think it would make sense (to at least provide an option) to modify both /etc/openldap/ldap.conf and /etc/ldap.conf in clients with ipa-client-install - IMHO it is very likely that the only LDAP server the clients are communicating with is the IPA server.

Above the case of /etc/openldap/ldap.conf was already discussed but for /etc/ldap.conf no proper content has been mentioned. Based on this thread I think for /etc/ldap.conf this would be most IPA related content:


N. Modify the following in the /etc/ldap.conf file:

uri            ldap://ipaserver.example.com/
base           dc=example,dc=com
ssl            start_tls
tls_checkpeer  yes
tls_cacertdir  /etc/cacerts/


There are also some very much needed configuration directives in the default /etc/ldap.conf (e.g., nss_initgroups_ignoreusers) which should be leaved as-is and these changes only be added to the end of file.

What do you think, do these suggestions make sense?

Thanks.

More information about the Freeipa-users mailing list