[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Setting up LDAP/SSL during kickstart



nice! thanks very much for the help and pointers.

Cheers,
Harry

mups.cp wrote:
The starttls function tell the application to negotiate an encrypted
session. Either SSL or TLS depends on the way the keys were generated.
With 'openssl ciphers -v ALL' you could check the options your openssl
could generate keys. Look at SSL version.

See:
http://sial.org/howto/openssl/tls-name/


On 9/6/07, Harry Hoffman <hhoffman ip-solutions net> wrote:
Ah, perhaps I was misunderstanding...

I was thinking TLS, e.g. on port 389 an non-encrypted until a starttls
was issued vs. SSL on port 636 where the encryption is constantly enabled.

Cheers,
Harry

mups.cp wrote:
SSL = SSLv1 or SSLv2
TLS = SSLv3

On 9/6/07, Harry Hoffman <hhoffman ip-solutions net> wrote:
Hi,

Thanks for reviewing.

I'm on RHEL4 and was having all sorts of weird issues with using
auth/authconfig.

Does TLS == SSL for LDAP?

Cheers,
Harry


mups.cp wrote:
The kickstart auth option allow set must tyhe options you are settings
into %post.
http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Installation_Guide-en-US/s1-kickstart2-options.html
has all you need. Look for auth/authconfig


%post
# Setup LDAP
#
# equiv to running setup tool
authconfig --kickstart --enableshadow --enablemd5 --enableldap
--enableldapauth --ldapserver ldap.yourdomain.com --ldapbasedn
dc=yourdomain,dc=com
Use this out %post. Look the link above.


#
# Turn SSL on in the config files
perl -p -i -e 's/^ssl no/ssl on/g' /etc/ldap.conf
echo "tls_cacertfile /etc/openldap/cacerts/cacert.asc" >> /etc/ldap.conf
echo "URI ldaps://ldap.yourdomain.com" >> /etc/openldap/ldap.conf
Again, no necessary if using the above --enableldaptls.

#
# Create a directory to hold our Cert Auth certificate
mkdir -p /etc/openldap/cacerts
# Download the CA certificate
wget -O /etc/openldap/cacerts/cacert.asc http://INSTALL_SERVER/cacert.asc
#
OK

# Have PAM autocreate home directories upon login
echo "session required /lib/security/pam_mkhomedir.so skel=/etc/skel/
umask=0077" >> /etc/pam.d/system-auth
This is useful only if users connect through ssh.
Through samba use root preexec to create home dir automaticly.
For Linux clients use autofs.

#
# Ensure that local authorization is enough to get on the system
# (i.e. root can login)
perl -p -i -e 's/^USELOCAUTHORIZE=no/USELOCAUTHORIZE=yes/'
/etc/sysconfig/authconfig
My system works without change this.

_______________________________________________
Kickstart-list mailing list
Kickstart-list redhat com
https://www.redhat.com/mailman/listinfo/kickstart-list
_______________________________________________
Kickstart-list mailing list
Kickstart-list redhat com
https://www.redhat.com/mailman/listinfo/kickstart-list

_______________________________________________
Kickstart-list mailing list
Kickstart-list redhat com
https://www.redhat.com/mailman/listinfo/kickstart-list
_______________________________________________
Kickstart-list mailing list
Kickstart-list redhat com
https://www.redhat.com/mailman/listinfo/kickstart-list


_______________________________________________
Kickstart-list mailing list
Kickstart-list redhat com
https://www.redhat.com/mailman/listinfo/kickstart-list


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]