Setting up LDAP/SSL during kickstart
mups.cp
mups.cp at gmail.com
Thu Sep 6 14:52:52 UTC 2007
SSL = SSLv1 or SSLv2
TLS = SSLv3
On 9/6/07, Harry Hoffman <hhoffman at ip-solutions.net> wrote:
> Hi,
>
> Thanks for reviewing.
>
> I'm on RHEL4 and was having all sorts of weird issues with using
> auth/authconfig.
>
> Does TLS == SSL for LDAP?
>
> Cheers,
> Harry
>
>
> mups.cp wrote:
> > The kickstart auth option allow set must tyhe options you are settings
> > into %post.
> > http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Installation_Guide-en-US/s1-kickstart2-options.html
> > has all you need. Look for auth/authconfig
> >
> >
> >> %post
> >> # Setup LDAP
> >> #
> >> # equiv to running setup tool
> >> authconfig --kickstart --enableshadow --enablemd5 --enableldap
> >> --enableldapauth --ldapserver ldap.yourdomain.com --ldapbasedn
> >> dc=yourdomain,dc=com
> >
> > Use this out %post. Look the link above.
> >
> >
> >> #
> >> # Turn SSL on in the config files
> >> perl -p -i -e 's/^ssl no/ssl on/g' /etc/ldap.conf
> >> echo "tls_cacertfile /etc/openldap/cacerts/cacert.asc" >> /etc/ldap.conf
> >> echo "URI ldaps://ldap.yourdomain.com" >> /etc/openldap/ldap.conf
> >
> > Again, no necessary if using the above --enableldaptls.
> >
> >> #
> >> # Create a directory to hold our Cert Auth certificate
> >> mkdir -p /etc/openldap/cacerts
> >> # Download the CA certificate
> >> wget -O /etc/openldap/cacerts/cacert.asc http://INSTALL_SERVER/cacert.asc
> >> #
> > OK
> >
> >> # Have PAM autocreate home directories upon login
> >> echo "session required /lib/security/pam_mkhomedir.so skel=/etc/skel/
> >> umask=0077" >> /etc/pam.d/system-auth
> >
> > This is useful only if users connect through ssh.
> > Through samba use root preexec to create home dir automaticly.
> > For Linux clients use autofs.
> >
> >> #
> >> # Ensure that local authorization is enough to get on the system
> >> # (i.e. root can login)
> >> perl -p -i -e 's/^USELOCAUTHORIZE=no/USELOCAUTHORIZE=yes/'
> >> /etc/sysconfig/authconfig
> >
> > My system works without change this.
> >
> > _______________________________________________
> > Kickstart-list mailing list
> > Kickstart-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/kickstart-list
>
> _______________________________________________
> Kickstart-list mailing list
> Kickstart-list at redhat.com
> https://www.redhat.com/mailman/listinfo/kickstart-list
>
More information about the Kickstart-list
mailing list