Revision 3406
Added by Jing Tao about 17 years ago
| docs/dev/setup-ldap-TLS.txt | ||
|---|---|---|
| 1 |
1. In /etc/ldap/slapd.conf file, remove the comment symbols of two lines: |
|
| 1 |
In ldap server host: |
|
| 2 |
1. In /etc/ldap/slapd.conf (or /etc/openldap/slapd.conf) file, remove the comment symbols of two lines: |
|
| 2 | 3 |
TLSCertificateFile /var/lib/ldap/cert/cacert.pem |
| 3 | 4 |
TLSCertificateKeyFile /var/lib/ldap/cert/privkey.pem |
| 4 | 5 |
|
| 5 |
2. In /var/lib/ldap/cert directory (which should be as same as the one in slapd.conf file), generate private key:
|
|
| 6 |
2. In /var/lib/ldap/cert directory (which should be as same as the TLSCertificateKeyFile dir in slapd.conf file), generate private key:
|
|
| 6 | 7 |
openssl genrsa -out privkey.pem 1024 |
| 7 | 8 |
|
| 8 | 9 |
3. In /var/lig/ldap/cert directory, generate self-signed certificate: |
| ... | ... | |
| 20 | 21 |
|
| 21 | 22 |
Note: the country name, state name (full name) and host name should be correct ones. |
| 22 | 23 |
|
| 23 |
4. Copy the certificate file - cacert.pem to $JAVA_HOME/jre/lib/security directory. |
|
| 24 |
Note: the $JAVA_HOME is the java home under which Metacat is running. It can be in different |
|
| 25 |
machine to Ldap, if Metacat and Ldap are running in different machines. |
|
| 24 |
4. Restart ldap server. |
|
| 26 | 25 |
|
| 27 |
5. In $JAVA_HOME/jre/lib/security directory, import the certificate into key store: |
|
| 26 |
For java client, e.g, Metacat: |
|
| 27 |
|
|
| 28 |
1. Copy the certificate file - cacert.pem from server host to $JAVA_HOME/jre/lib/security directory |
|
| 29 |
in client host which can be different to the server host. |
|
| 30 |
Note: the $JAVA_HOME is the java home under which Metacat is running. |
|
| 31 |
|
|
| 32 |
2. In $JAVA_HOME/jre/lib/security directory, import the certificate into key store: |
|
| 28 | 33 |
keytool -import -alias knp-ldap -file cacert.pem -keystore cacerts |
| 29 | 34 |
|
| 30 |
6. Restart tomcat.
|
|
| 35 |
3. Restart tomcat.
|
|
| 31 | 36 |
|
| 32 |
7. Restart Ldap. |
|
| 33 | 37 |
|
| 38 |
For other client, e.g, ldapsearch: |
|
| 39 |
|
|
| 40 |
1. In client host (which can be different to ldap server host), modify the ldap.conf in /etc/lodap |
|
| 41 |
(or /etc/openldap) directory by adding: |
|
| 42 |
TLS_REQCERT try |
|
| 43 |
TLS_CACERT /usr/share/ssl/ldapcerts/cacert.pem |
|
| 44 |
|
|
| 45 |
2. Copy the certificate file - cacert.pem from server host to /usr/share/ssl/ldapcerts/ in client host. |
|
| 46 |
|
|
| 47 |
3. Make a test search: |
|
| 48 |
ldapsearch -x -h ldap.ecoinformatics.org -b dc=ecoinformatics,dc=org -LLL -ZZ uid=tao dn |
|
| 49 |
and you will see something like: |
|
| 50 |
|
|
| 51 |
dn: uid=tao,o=NCEAS,dc=ecoinformatics,dc=org |
|
| 52 |
|
|
| 53 |
dn: uid=tao,ou=Account,dc=ecoinformatics,dc=org |
|
| 54 |
|
|
| 55 |
# refldap://directory.piscoweb.org/ou=people,dc=piscoweb,dc=org??sub |
|
| 56 |
|
|
| 57 |
# refldap://ldap.ecoinformatics.org/ou=people,o=ucnrs.org??sub |
|
| 58 |
|
|
| 59 |
# refldap://ldap.lternet.edu/o=LTER,dc=ecoinformatics,dc=org??sub |
|
| 60 |
|
|
| 61 |
# refldap://directory.piscoweb.org/ou=groups,dc=piscoweb,dc=org??sub |
|
| 62 |
|
|
| 63 |
# refldap://dataknp.sanparks.org/o=SANParks,dc=ecoinformatics,dc=org??sub |
|
| 64 |
|
|
| 65 |
|
|
Also available in: Unified diff
Add docs for setup other client such as ldapsearch.