[Freeipa-users] Re: freeipa server + how to joining opensuse clients

Simo Sorce ssorce at redhat.com
Tue Mar 31 20:18:49 UTC 2009 

On Sun, 2009-03-29 at 06:28 -0700, Daniel Qarras wrote:
> Hi!
> 
> > I inspected this a bit more and I suspect that this is just
> > a quick copy/paste from Fedora Directory Server Guide's LDAP
> > client section:
> > 
> > http://directory.fedoraproject.org/wiki/Howto:SSL#Configure_LDAP_clients
> > 
> > I think it would be beneficial to stress that this is to
> > configure OpenLDAP command line utilities (e.g.,
> > ldapsearch(1)) to work against the IPA server. The following
> > should do the this:
> > 
> > 
> > N. Modify the following in the /etc/openldap/ldap.conf
> > file:
> > 
> >  URI ldap://ipaserver.example.com/
> >  BASE dc=example,dc=com
> >  TLS_CACERTDIR /etc/cacerts/
> >  TLS_REQCERT demand
> > 
> > 
> > I used "demand" as the next steps describe in detail how to
> > export and install the CA certificate - if not "demand" then
> > the whole exercise with the CA certificate becomes pretty
> > pointless, IMHO. Of course, a quick comment about the
> > difference between "demand" and "allow" would be useful
> > alongside with a "ldapsearch -ZZ -Y GSSAPI uid=$USER" type
> > tiny example.
> > 
> > 
> > But, as said, this was just for OpenLDAP tools and libs. I
> > am not quite sure does ipa-client-install create PAM/LDAP
> > configuration or not (at /etc/ldap.conf)? Or does it
> > configure SSSD (nss_sss/pam_sss)? And is pam_ldap used with
> > IPA or not?
> 
> Continuing my monologue here, I think it would make sense (to at least
> provide an option) to modify both /etc/openldap/ldap.conf
> and /etc/ldap.conf in clients with ipa-client-install - IMHO it is
> very likely that the only LDAP server the clients are communicating
> with is the IPA server.

Not sure about that, I can definitely see cases where you want to use
ipa for authentication but you daily use another ldap server for other
purposes (addressbook ?)
But maybe an option will do.

> Above the case of /etc/openldap/ldap.conf was already discussed but
> for /etc/ldap.conf no proper content has been mentioned. Based on this
> thread I think for /etc/ldap.conf this would be most IPA related
> content:
> 
> 
> N. Modify the following in the /etc/ldap.conf file:
> 
> uri            ldap://ipaserver.example.com/
> base           dc=example,dc=com
> ssl            start_tls
> tls_checkpeer  yes
> tls_cacertdir  /etc/cacerts/
> 
> 
> There are also some very much needed configuration directives in the
> default /etc/ldap.conf (e.g., nss_initgroups_ignoreusers) which should
> be leaved as-is and these changes only be added to the end of file.
> 
> What do you think, do these suggestions make sense?

I think they do.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list