FedFsOpenLdapServer0.10

From Linux NFS

Jump to: navigation, search

Contents

Project: fedfs-utils

[ Project Home | News | Downloads | Docs | Mailing Lists | Source Control | Issues ]


Configuring an OpenLDAP server for use with FedFS

fedfs-utils 0.10 provides a tool for creating an NSDB service using OpenLDAP. The tool is called "nsdb-jumpstart." nsdb-jumpstart assumes that OpenLDAP is installed, but no slapd service has been configured.

Uninstalling

If at any point you find the need to erase everything and start over, use:

# systemctl stop slapd.service
# systemctl disable slapd.service
# rm -rf /etc/openldap /var/lib/ldap
# yum erase openldap-servers openldap-clients

This removes all slapd instances and software.

Networking pre-requisites

Unless this LDAP server installation will be accessed only via localhost, the hosting OS must be assigned a fixed IP address with a consistent forward and reverse DNS mapping.

On some RH-based distributions, networking doesn't start until a user logs in on the console. If this is the case, configure the system's network to start automatically.

By default on modern RH-based distributions, an IP-based firewall is enabled during a typical install. Allow other systems to access the LDAP service on this machine by adjusting the firewall configuration. Or disable the firewall entirely if you are sure that's safe to do.

Install the OpenLDAP server software

After installing, updating, and configuring Fedora, install the pre-packaged OpenLDAP server components with:

# yum install openldap openldap-clients openldap-servers

This command adds a new UID and GID, which is user and group "ldap", (55, 55).

The OpenLDAP community recommends building and installing the OpenLDAP server software from source. The source distribution can be found here.

Run the jumpstart tool

The jumpstart tool is run as root:

# nsdb-jumpstart install

Answer the interview questions. When it is complete, you should have a running NSDB.

If you want a secure installation, specify "--security=tls". The nsdb-jumpstart tool will create a self-signed x.509 certificate for this server instance that can be distributed to your file servers. You can find the certificate in /etc/openldap/nsdb-cert.pem.

It is strongly recommended that you use TLS security, as described above, when setting up NSDBs on open networks.

Personal tools