LDAP over TLS2011/03/19

	Use LDAP over TLS and make connection be secure.
[1]	Create SSL certificate first. See here.
[2]	Configure LDAP server

[root@master ~]#

cp /etc/pki/tls/certs/server.* /etc/openldap/cacerts/

[root@master ~]#

chown ldap. /etc/openldap/cacerts/*

[root@master ~]#

ldapmodify -Y EXTERNAL -H ldapi:///

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0

# input like follows

dn: cn=config
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/cacerts/server.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/cacerts/server.key

# push "Ctrl+D" key to quit

[root@master ~]#

vi /etc/sysconfig/ldap

# line 20: change

SLAPD_LDAPS=

yes

[root@master ~]#

/etc/rc.d/init.d/slapd restart

Stopping slapd: [ OK ]
Starting slapd: [ OK ]

[3]	Configure on Client

[root@www ~]#

vi /etc/openldap/ldap.conf

# add at the last line

URI ldaps://10.0.0.100/
BASE dc=srv,dc=world
TLS_CACERTDIR /etc/openldap/cacerts

TLS_REQCERT allow

[root@www ~]#

vi /etc/nslcd.conf

# line 133: change like follows

ssl no
tls_cacertdir /etc/openldap/cacertsa

ssl start_tls
tls_reqcert allow

[root@www ~]#

vi /etc/pam_ldap.conf

# line 291: change

ssl no
tls_cacertdir /etc/openldap/cacerts

ssl start_tls
tls_reqcert allow

[root@www ~]#

shutdown -r now

www.srv.world login: fedora
Password:
Last login: Sun Mar 20 03:35:28 on ttyS0
[fedora@www ~]$

# logined

Matched Content