Setting up LDAP/SSL during kickstart
Harry Hoffman
hhoffman at ip-solutions.net
Sat Sep 8 01:13:14 UTC 2007
nice! thanks very much for the help and pointers.
Cheers,
Harry
mups.cp wrote:
> The starttls function tell the application to negotiate an encrypted
> session. Either SSL or TLS depends on the way the keys were generated.
> With 'openssl ciphers -v ALL' you could check the options your openssl
> could generate keys. Look at SSL version.
>
> See:
> http://sial.org/howto/openssl/tls-name/
>
>
> On 9/6/07, Harry Hoffman <hhoffman at ip-solutions.net> wrote:
>> Ah, perhaps I was misunderstanding...
>>
>> I was thinking TLS, e.g. on port 389 an non-encrypted until a starttls
>> was issued vs. SSL on port 636 where the encryption is constantly enabled.
>>
>> Cheers,
>> Harry
>>
>> mups.cp wrote:
>>> SSL = SSLv1 or SSLv2
>>> TLS = SSLv3
>>>
>>> On 9/6/07, Harry Hoffman <hhoffman at ip-solutions.net> wrote:
>>>> Hi,
>>>>
>>>> Thanks for reviewing.
>>>>
>>>> I'm on RHEL4 and was having all sorts of weird issues with using
>>>> auth/authconfig.
>>>>
>>>> Does TLS == SSL for LDAP?
>>>>
>>>> Cheers,
>>>> Harry
>>>>
>>>>
>>>> mups.cp wrote:
>>>>> The kickstart auth option allow set must tyhe options you are settings
>>>>> into %post.
>>>>> http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Installation_Guide-en-US/s1-kickstart2-options.html
>>>>> has all you need. Look for auth/authconfig
>>>>>
>>>>>
>>>>>> %post
>>>>>> # Setup LDAP
>>>>>> #
>>>>>> # equiv to running setup tool
>>>>>> authconfig --kickstart --enableshadow --enablemd5 --enableldap
>>>>>> --enableldapauth --ldapserver ldap.yourdomain.com --ldapbasedn
>>>>>> dc=yourdomain,dc=com
>>>>> Use this out %post. Look the link above.
>>>>>
>>>>>
>>>>>> #
>>>>>> # Turn SSL on in the config files
>>>>>> perl -p -i -e 's/^ssl no/ssl on/g' /etc/ldap.conf
>>>>>> echo "tls_cacertfile /etc/openldap/cacerts/cacert.asc" >> /etc/ldap.conf
>>>>>> echo "URI ldaps://ldap.yourdomain.com" >> /etc/openldap/ldap.conf
>>>>> Again, no necessary if using the above --enableldaptls.
>>>>>
>>>>>> #
>>>>>> # Create a directory to hold our Cert Auth certificate
>>>>>> mkdir -p /etc/openldap/cacerts
>>>>>> # Download the CA certificate
>>>>>> wget -O /etc/openldap/cacerts/cacert.asc http://INSTALL_SERVER/cacert.asc
>>>>>> #
>>>>> OK
>>>>>
>>>>>> # Have PAM autocreate home directories upon login
>>>>>> echo "session required /lib/security/pam_mkhomedir.so skel=/etc/skel/
>>>>>> umask=0077" >> /etc/pam.d/system-auth
>>>>> This is useful only if users connect through ssh.
>>>>> Through samba use root preexec to create home dir automaticly.
>>>>> For Linux clients use autofs.
>>>>>
>>>>>> #
>>>>>> # Ensure that local authorization is enough to get on the system
>>>>>> # (i.e. root can login)
>>>>>> perl -p -i -e 's/^USELOCAUTHORIZE=no/USELOCAUTHORIZE=yes/'
>>>>>> /etc/sysconfig/authconfig
>>>>> My system works without change this.
>>>>>
>>>>> _______________________________________________
>>>>> Kickstart-list mailing list
>>>>> Kickstart-list at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/kickstart-list
>>>> _______________________________________________
>>>> Kickstart-list mailing list
>>>> Kickstart-list at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/kickstart-list
>>>>
>>> _______________________________________________
>>> Kickstart-list mailing list
>>> Kickstart-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/kickstart-list
>> _______________________________________________
>> Kickstart-list mailing list
>> Kickstart-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/kickstart-list
>>
>
> _______________________________________________
> Kickstart-list mailing list
> Kickstart-list at redhat.com
> https://www.redhat.com/mailman/listinfo/kickstart-list
More information about the Kickstart-list
mailing list