Wednesday, June 6, 2012

OpenLDAP, Slapd, Fedora 17 and Authentication

Once the LDAP database is ready following the steps in the previous post, we can use authconfig-gtk to configure authentication via ldap. On Fedora, for using LDAP passwords either TLS/SSL or LDAPS is required.

The changes in Fedora 17 make getting started much easier. OpenLDAP creates a directory /etc/openldap/certs and creates an empty database of certificates (using /usr/libexec/openldap/create-certdb.sh)

During the installation, openldap-servers  runs /usr/libexec/openldap/generate-server-cert.sh which creates a dummy certificate for the local host and adds it to the certificates database in /etc/openldap/certs.

There is a small inconsistency, which should be resolved soon or it could have been caused by a file from earlier versions which is not replaced by the upgrade.

The files /etc/openldap/ldap.conf and /etc/sssd/sssd.conf use /etc/openldap/cacerts as the directory for the certificates. I needed to manually change that to /etc/openldap/certs.

When I was having problems with certificates, including ldaps in SLAPD_URLS in /etc/sysconfig/slapd and using the following command was helpful:
ldapsearch -ZZ -d 1 -x -LLL  -W -D cn=Manager,dc=example,dc=com -H ldaps:///
Update and caution: I find that slapd fails to start on reboot. It seems to timeout on some operation. However, it works fine upon:
$ sudo systemctl start slapd.service
Update: this was an issue of too small a timeout for my system in /usr/lib/systemd/system/slapd.service. Commenting the timeout solved the issue.
#TimeoutSec=3

Next: Modifying the schema.

1 comment:

  1. Thanks for the recipe. I was struggling with the certificates.. hope this will resolve my issues

    ReplyDelete