Setting up LDAP/SSL during kickstart

Harry Hoffman hhoffman at ip-solutions.net
Thu Sep 6 19:32:08 UTC 2007 

Ah, perhaps I was misunderstanding...

I was thinking TLS, e.g. on port 389 an non-encrypted until a starttls 
was issued vs. SSL on port 636 where the encryption is constantly enabled.

Cheers,
Harry

mups.cp wrote:
> SSL = SSLv1 or SSLv2
> TLS = SSLv3
> 
> On 9/6/07, Harry Hoffman <hhoffman at ip-solutions.net> wrote:
>> Hi,
>>
>> Thanks for reviewing.
>>
>> I'm on RHEL4 and was having all sorts of weird issues with using
>> auth/authconfig.
>>
>> Does TLS == SSL for LDAP?
>>
>> Cheers,
>> Harry
>>
>>
>> mups.cp wrote:
>>> The kickstart auth option allow set must tyhe options you are settings
>>> into %post.
>>> http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Installation_Guide-en-US/s1-kickstart2-options.html
>>> has all you need. Look for auth/authconfig
>>>
>>>
>>>> %post
>>>> # Setup LDAP
>>>> #
>>>> # equiv to running setup tool
>>>> authconfig --kickstart --enableshadow --enablemd5 --enableldap
>>>> --enableldapauth --ldapserver ldap.yourdomain.com --ldapbasedn
>>>> dc=yourdomain,dc=com
>>> Use this out %post. Look the link above.
>>>
>>>
>>>> #
>>>> # Turn SSL on in the config files
>>>> perl -p -i -e 's/^ssl no/ssl on/g' /etc/ldap.conf
>>>> echo "tls_cacertfile /etc/openldap/cacerts/cacert.asc" >> /etc/ldap.conf
>>>> echo "URI ldaps://ldap.yourdomain.com" >> /etc/openldap/ldap.conf
>>> Again, no necessary if using the above --enableldaptls.
>>>
>>>> #
>>>> # Create a directory to hold our Cert Auth certificate
>>>> mkdir -p /etc/openldap/cacerts
>>>> # Download the CA certificate
>>>> wget -O /etc/openldap/cacerts/cacert.asc http://INSTALL_SERVER/cacert.asc
>>>> #
>>> OK
>>>
>>>> # Have PAM autocreate home directories upon login
>>>> echo "session required /lib/security/pam_mkhomedir.so skel=/etc/skel/
>>>> umask=0077" >> /etc/pam.d/system-auth
>>> This is useful only if users connect through ssh.
>>> Through samba use root preexec to create home dir automaticly.
>>> For Linux clients use autofs.
>>>
>>>> #
>>>> # Ensure that local authorization is enough to get on the system
>>>> # (i.e. root can login)
>>>> perl -p -i -e 's/^USELOCAUTHORIZE=no/USELOCAUTHORIZE=yes/'
>>>> /etc/sysconfig/authconfig
>>> My system works without change this.
>>>
>>> _______________________________________________
>>> Kickstart-list mailing list
>>> Kickstart-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/kickstart-list
>> _______________________________________________
>> Kickstart-list mailing list
>> Kickstart-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/kickstart-list
>>
> 
> _______________________________________________
> Kickstart-list mailing list
> Kickstart-list at redhat.com
> https://www.redhat.com/mailman/listinfo/kickstart-list

More information about the Kickstart-list mailing list