Linux System Administration Recipes A Problem-Solution Approach

CHAPTER 2 ■ CENTRALIZING YOUR NETWORK: KERBEROS, LDAP, AND NFS■ Note If you’re using TLS over the standard LDAP port, the URI line will be the URI ldap://ldapserver.example.com.If you’re using a self-signed certificate, you can add this line to enable the client to request theserver’s certificate:TLS_REQCERT allowOtherwise, copy the certificate to the client, and set the location with the following:TLS_CACERT /path/to/fileIf you’re using a proper CA, you should be able to use this:TLS_CACERTDIR /usr/share/ca-certificates/to point to the directory where the ca-certificates package stores certificates; if this causes problems,use the TLS_CACERT option instead.To set up automount to read from LDAP, see recipe 2-14.To test your setup, try the following on the client:ldapsearch -d 1 -xYou should see the TLS information at the top and bottom of the debug output (generated with the -d 1 flag). If you have any problems, try specifying the server with-H ldaps://ldapserver.example.com. If this works, check that the values in /etc/ldap/ldap.conf match your setup.Finally, test that Kerberos auth is working by typing kinit and then ldapsearch (in other words,without the -x simple bind flag).You’re there!TroubleshootingIf your secure LDAP connection isn’t working, check that you’re definitely using SSL rather than TLS.You may need to add the following to your /etc/libnss-ldap.conf (/etc/ldap.conf on Ubuntu) file:ssl onIf you use PAM and LDAP together, you should also add it to pam_ldap.conf. Some versions defaultto TLS, and some to SSL, which forces SSL being used. At time of writing, this was a known bug withDebian lenny.39Download at WoweBook.Com