Project

General

Profile

« Previous | Next » 

Revision 3406

Added by Jing Tao over 16 years ago

Add docs for setup other client such as ldapsearch.

View differences:

docs/dev/setup-ldap-TLS.txt
1
1. In /etc/ldap/slapd.conf file, remove the comment symbols of two lines:
1
In ldap server host:
2
1. In /etc/ldap/slapd.conf (or /etc/openldap/slapd.conf) file, remove the comment symbols of two lines:
2 3
   TLSCertificateFile /var/lib/ldap/cert/cacert.pem
3 4
   TLSCertificateKeyFile /var/lib/ldap/cert/privkey.pem
4 5

  
5
2. In /var/lib/ldap/cert directory (which should be as same as the one in slapd.conf file), generate private key:
6
2. In /var/lib/ldap/cert directory (which should be as same as the TLSCertificateKeyFile dir in slapd.conf file), generate private key:
6 7
   openssl genrsa -out privkey.pem 1024
7 8

  
8 9
3. In /var/lig/ldap/cert directory, generate self-signed certificate:
......
20 21

  
21 22
   Note: the country name, state name (full name) and host name should be correct ones.
22 23

  
23
4. Copy the certificate file - cacert.pem to $JAVA_HOME/jre/lib/security directory.
24
   Note: the $JAVA_HOME is the java home under which Metacat is running. It can be in different 
25
   machine to Ldap, if Metacat and Ldap are running in different machines. 
24
4. Restart ldap server.
26 25

  
27
5. In $JAVA_HOME/jre/lib/security directory, import the certificate into key store:
26
For java client, e.g, Metacat:
27

  
28
1. Copy the certificate file - cacert.pem from server host to $JAVA_HOME/jre/lib/security directory 
29
   in client host which can be different to the server host.
30
   Note: the $JAVA_HOME is the java home under which Metacat is running. 
31

  
32
2. In $JAVA_HOME/jre/lib/security directory, import the certificate into key store:
28 33
   keytool -import -alias knp-ldap -file cacert.pem -keystore cacerts
29 34

  
30
6. Restart tomcat.
35
3. Restart tomcat.
31 36

  
32
7. Restart Ldap.
33 37

  
38
For other client, e.g, ldapsearch:
39

  
40
1. In client host (which can be different to ldap server host), modify the ldap.conf in /etc/lodap 
41
   (or /etc/openldap) directory by adding:
42
   TLS_REQCERT try
43
   TLS_CACERT /usr/share/ssl/ldapcerts/cacert.pem
44

  
45
2. Copy the certificate file - cacert.pem from server host to  /usr/share/ssl/ldapcerts/ in client host.
46

  
47
3. Make a test search:
48
   ldapsearch -x -h ldap.ecoinformatics.org -b dc=ecoinformatics,dc=org -LLL -ZZ uid=tao dn
49
   and you will see something like:
50

  
51
   dn: uid=tao,o=NCEAS,dc=ecoinformatics,dc=org
52

  
53
   dn: uid=tao,ou=Account,dc=ecoinformatics,dc=org
54

  
55
   # refldap://directory.piscoweb.org/ou=people,dc=piscoweb,dc=org??sub
56

  
57
   # refldap://ldap.ecoinformatics.org/ou=people,o=ucnrs.org??sub
58

  
59
   # refldap://ldap.lternet.edu/o=LTER,dc=ecoinformatics,dc=org??sub
60

  
61
   # refldap://directory.piscoweb.org/ou=groups,dc=piscoweb,dc=org??sub
62

  
63
   # refldap://dataknp.sanparks.org/o=SANParks,dc=ecoinformatics,dc=org??sub
64

  
65

  

Also available in: Unified diff