[Freeipa-users] Re: freeipa server + how to joining opensuse clients
Daniel Qarras
dqarras at yahoo.com
Sun Mar 29 13:28:45 UTC 2009
Hi!
> I inspected this a bit more and I suspect that this is just
> a quick copy/paste from Fedora Directory Server Guide's LDAP
> client section:
>
> http://directory.fedoraproject.org/wiki/Howto:SSL#Configure_LDAP_clients
>
> I think it would be beneficial to stress that this is to
> configure OpenLDAP command line utilities (e.g.,
> ldapsearch(1)) to work against the IPA server. The following
> should do the this:
>
>
> N. Modify the following in the /etc/openldap/ldap.conf
> file:
>
> URI ldap://ipaserver.example.com/
> BASE dc=example,dc=com
> TLS_CACERTDIR /etc/cacerts/
> TLS_REQCERT demand
>
>
> I used "demand" as the next steps describe in detail how to
> export and install the CA certificate - if not "demand" then
> the whole exercise with the CA certificate becomes pretty
> pointless, IMHO. Of course, a quick comment about the
> difference between "demand" and "allow" would be useful
> alongside with a "ldapsearch -ZZ -Y GSSAPI uid=$USER" type
> tiny example.
>
>
> But, as said, this was just for OpenLDAP tools and libs. I
> am not quite sure does ipa-client-install create PAM/LDAP
> configuration or not (at /etc/ldap.conf)? Or does it
> configure SSSD (nss_sss/pam_sss)? And is pam_ldap used with
> IPA or not?
Continuing my monologue here, I think it would make sense (to at least provide an option) to modify both /etc/openldap/ldap.conf and /etc/ldap.conf in clients with ipa-client-install - IMHO it is very likely that the only LDAP server the clients are communicating with is the IPA server.
Above the case of /etc/openldap/ldap.conf was already discussed but for /etc/ldap.conf no proper content has been mentioned. Based on this thread I think for /etc/ldap.conf this would be most IPA related content:
N. Modify the following in the /etc/ldap.conf file:
uri ldap://ipaserver.example.com/
base dc=example,dc=com
ssl start_tls
tls_checkpeer yes
tls_cacertdir /etc/cacerts/
There are also some very much needed configuration directives in the default /etc/ldap.conf (e.g., nss_initgroups_ignoreusers) which should be leaved as-is and these changes only be added to the end of file.
What do you think, do these suggestions make sense?
Thanks.
More information about the Freeipa-users
mailing list