Setting up LDAP/SSL during kickstart
mups.cp
mups.cp at gmail.com
Sat Sep 8 00:55:28 UTC 2007
The starttls function tell the application to negotiate an encrypted
session. Either SSL or TLS depends on the way the keys were generated.
With 'openssl ciphers -v ALL' you could check the options your openssl
could generate keys. Look at SSL version.
See:
http://sial.org/howto/openssl/tls-name/
On 9/6/07, Harry Hoffman <hhoffman at ip-solutions.net> wrote:
> Ah, perhaps I was misunderstanding...
>
> I was thinking TLS, e.g. on port 389 an non-encrypted until a starttls
> was issued vs. SSL on port 636 where the encryption is constantly enabled.
>
> Cheers,
> Harry
>
> mups.cp wrote:
> > SSL = SSLv1 or SSLv2
> > TLS = SSLv3
> >
> > On 9/6/07, Harry Hoffman <hhoffman at ip-solutions.net> wrote:
> >> Hi,
> >>
> >> Thanks for reviewing.
> >>
> >> I'm on RHEL4 and was having all sorts of weird issues with using
> >> auth/authconfig.
> >>
> >> Does TLS == SSL for LDAP?
> >>
> >> Cheers,
> >> Harry
> >>
> >>
> >> mups.cp wrote:
> >>> The kickstart auth option allow set must tyhe options you are settings
> >>> into %post.
> >>> http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Installation_Guide-en-US/s1-kickstart2-options.html
> >>> has all you need. Look for auth/authconfig
> >>>
> >>>
> >>>> %post
> >>>> # Setup LDAP
> >>>> #
> >>>> # equiv to running setup tool
> >>>> authconfig --kickstart --enableshadow --enablemd5 --enableldap
> >>>> --enableldapauth --ldapserver ldap.yourdomain.com --ldapbasedn
> >>>> dc=yourdomain,dc=com
> >>> Use this out %post. Look the link above.
> >>>
> >>>
> >>>> #
> >>>> # Turn SSL on in the config files
> >>>> perl -p -i -e 's/^ssl no/ssl on/g' /etc/ldap.conf
> >>>> echo "tls_cacertfile /etc/openldap/cacerts/cacert.asc" >> /etc/ldap.conf
> >>>> echo "URI ldaps://ldap.yourdomain.com" >> /etc/openldap/ldap.conf
> >>> Again, no necessary if using the above --enableldaptls.
> >>>
> >>>> #
> >>>> # Create a directory to hold our Cert Auth certificate
> >>>> mkdir -p /etc/openldap/cacerts
> >>>> # Download the CA certificate
> >>>> wget -O /etc/openldap/cacerts/cacert.asc http://INSTALL_SERVER/cacert.asc
> >>>> #
> >>> OK
> >>>
> >>>> # Have PAM autocreate home directories upon login
> >>>> echo "session required /lib/security/pam_mkhomedir.so skel=/etc/skel/
> >>>> umask=0077" >> /etc/pam.d/system-auth
> >>> This is useful only if users connect through ssh.
> >>> Through samba use root preexec to create home dir automaticly.
> >>> For Linux clients use autofs.
> >>>
> >>>> #
> >>>> # Ensure that local authorization is enough to get on the system
> >>>> # (i.e. root can login)
> >>>> perl -p -i -e 's/^USELOCAUTHORIZE=no/USELOCAUTHORIZE=yes/'
> >>>> /etc/sysconfig/authconfig
> >>> My system works without change this.
> >>>
> >>> _______________________________________________
> >>> Kickstart-list mailing list
> >>> Kickstart-list at redhat.com
> >>> https://www.redhat.com/mailman/listinfo/kickstart-list
> >> _______________________________________________
> >> Kickstart-list mailing list
> >> Kickstart-list at redhat.com
> >> https://www.redhat.com/mailman/listinfo/kickstart-list
> >>
> >
> > _______________________________________________
> > Kickstart-list mailing list
> > Kickstart-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/kickstart-list
>
> _______________________________________________
> Kickstart-list mailing list
> Kickstart-list at redhat.com
> https://www.redhat.com/mailman/listinfo/kickstart-list
>
More information about the Kickstart-list
mailing list