Once the LDAP database is ready following the steps in the previous post, we can use authconfig-gtk to configure authentication via ldap. On Fedora, for using LDAP passwords either TLS/SSL or LDAPS is required.
The changes in Fedora 17 make getting started much easier. OpenLDAP creates a directory /etc/openldap/certs and creates an empty database of certificates (using /usr/libexec/openldap/create-certdb.sh)
During the installation, openldap-servers runs /usr/libexec/openldap/generate-server-cert.sh which creates a dummy certificate for the local host and adds it to the certificates database in /etc/openldap/certs.
There is a small inconsistency, which should be resolved soon or it could have been caused by a file from earlier versions which is not replaced by the upgrade.
The files /etc/openldap/ldap.conf and /etc/sssd/sssd.conf use /etc/openldap/cacerts as the directory for the certificates. I needed to manually change that to /etc/openldap/certs.
When I was having problems with certificates, including ldaps in SLAPD_URLS in /etc/sysconfig/slapd and using the following command was helpful:
#TimeoutSec=3
Next: Modifying the schema.
The changes in Fedora 17 make getting started much easier. OpenLDAP creates a directory /etc/openldap/certs and creates an empty database of certificates (using /usr/libexec/openldap/create-certdb.sh)
During the installation, openldap-servers runs /usr/libexec/openldap/generate-server-cert.sh which creates a dummy certificate for the local host and adds it to the certificates database in /etc/openldap/certs.
There is a small inconsistency, which should be resolved soon or it could have been caused by a file from earlier versions which is not replaced by the upgrade.
The files /etc/openldap/ldap.conf and /etc/sssd/sssd.conf use /etc/openldap/cacerts as the directory for the certificates. I needed to manually change that to /etc/openldap/certs.
When I was having problems with certificates, including ldaps in SLAPD_URLS in /etc/sysconfig/slapd and using the following command was helpful:
ldapsearch -ZZ -d 1 -x -LLL -W -D cn=Manager,dc=example,dc=com -H ldaps:///Update and caution: I find that slapd fails to start on reboot. It seems to timeout on some operation. However, it works fine upon:
$ sudo systemctl start slapd.serviceUpdate: this was an issue of too small a timeout for my system in /usr/lib/systemd/system/slapd.service. Commenting the timeout solved the issue.
#TimeoutSec=3
Next: Modifying the schema.
Thanks for the recipe. I was struggling with the certificates.. hope this will resolve my issues
ReplyDelete