Tag: openldap
-
Require TLS on OpenLDAP
A common question that comes up on the LDAP mailing list and among peers of mine who work with OpenLDAP is “how do I force clients to use secure connections when connecting to my LDAP directory?”. The correct way to require TLS using OpenLDAP is to set minssf=256 under cn=config using the olcSecurity attribute. Here…
-
SSH Public Key Authentication via OpenLDAP on RHEL/CentOS 6.x
With the release of RHEL/CentOS 6.x there are some changes to the way clients authenticate using public keys over SSH with keys stored in OpenLDAP. I was able to get this working with the following modifications. Pre-requisites: * RHEL / CentOS 6.x * openssh-ldap Setup the sshd_config by setting up the AuthorizedKeysCommand. This will execute…
-
TLS Issue with Amazon OpenLDAP 2.4.23-15
Today I had an issue getting a good TLS connection from an OpenLDAP client to an OpenLDAP server on an EC2 instance using the packages supplied by Amazon. The problem packages were: openldap-2.4.23-15.13.amzn1.x86_64 openldap-clients-2.4.23-15.13.amzn1.x86_64 The problem was resolved through updating to version 2.4.23-20 via: yum -y update openldap-clients The problem was produced via the following…
-
Configuring Existing OpenLDAP 2.4+ Directory to Accept TLS Connections
This tip assumes that OpenLDAP is currently running properly on port 389 without SSL/TLS configured and that the database is being used to store the config file via cn=config. 1. Generate an SSL key pair a. private key openssl genrsa -out slapd.key 2048 b. self-signed certificate re: http://www.openssl.org/docs/HOWTO/certificates.txt openssl req -new -x509 -key slapd.key -out…
-
Removing memberUid from OpenLDAP group
The following syntax can be used to remove a user from an OpenLDAP group: $ ldapmodify -x -D “cn=manager,dc=example,dc=com” -W <<EOF > dn: cn=sshusers,ou=groups,dc=example,dc=com > changetype: modify > delete: memberUid > memberUid: previousMember > EOF