1
|
In ldap server host:
|
2
|
1. In /etc/ldap/slapd.conf (or /etc/openldap/slapd.conf) file, remove the comment symbols of two lines:
|
3
|
TLSCertificateFile /var/lib/ldap/cert/cacert.pem
|
4
|
TLSCertificateKeyFile /var/lib/ldap/cert/privkey.pem
|
5
|
|
6
|
2. In /var/lib/ldap/cert directory (which should be as same as the TLSCertificateKeyFile dir in slapd.conf file), generate private key:
|
7
|
openssl genrsa -out privkey.pem 1024
|
8
|
|
9
|
3. In /var/lig/ldap/cert directory, generate self-signed certificate:
|
10
|
openssl req -new -x509 -days 900 -key privkey.pem -out cacert.pem
|
11
|
|
12
|
The example to set up a certificate:
|
13
|
Country Name (2 letter code) [GB]:US
|
14
|
State or Province Name (full name) [Berkshire]:California
|
15
|
Locality Name (eg, city) [Newbury]:Santa Barbara
|
16
|
Organization Name (eg, company) [My Company Ltd]:UCSB
|
17
|
Organizational Unit Name (eg, section) []:NCEAS
|
18
|
Common Name (eg, your name or your server's hostname) []:dev.nceas.ucsb.edu
|
19
|
(Note: don't put port number here)
|
20
|
Email Address []:tao@nceas.ucsb.edu
|
21
|
|
22
|
Note: the country name, state name (full name) and host name should be correct ones.
|
23
|
|
24
|
4. Restart ldap server.
|
25
|
|
26
|
For java client, e.g, Metacat:
|
27
|
|
28
|
1. Copy the certificate file - cacert.pem from server host to $JAVA_HOME/jre/lib/security directory
|
29
|
in client host which can be different to the server host.
|
30
|
Note: the $JAVA_HOME is the java home under which Metacat is running.
|
31
|
|
32
|
2. In $JAVA_HOME/jre/lib/security directory, import the certificate into key store:
|
33
|
keytool -import -alias knp-ldap -file cacert.pem -keystore cacerts
|
34
|
|
35
|
3. Restart tomcat.
|
36
|
|
37
|
|
38
|
For other client, e.g, ldapsearch:
|
39
|
|
40
|
1. In client host (which can be different to ldap server host), modify the ldap.conf in /etc/lodap
|
41
|
(or /etc/openldap) directory by adding:
|
42
|
TLS_REQCERT try
|
43
|
TLS_CACERT /usr/share/ssl/ldapcerts/cacert.pem
|
44
|
|
45
|
2. Copy the certificate file - cacert.pem from server host to /usr/share/ssl/ldapcerts/ in client host.
|
46
|
|
47
|
3. Make a test search:
|
48
|
ldapsearch -x -h ldap.ecoinformatics.org -b dc=ecoinformatics,dc=org -LLL -ZZ uid=tao dn
|
49
|
and you will see something like:
|
50
|
|
51
|
dn: uid=tao,o=NCEAS,dc=ecoinformatics,dc=org
|
52
|
|
53
|
dn: uid=tao,ou=Account,dc=ecoinformatics,dc=org
|
54
|
|
55
|
# refldap://directory.piscoweb.org/ou=people,dc=piscoweb,dc=org??sub
|
56
|
|
57
|
# refldap://ldap.ecoinformatics.org/ou=people,o=ucnrs.org??sub
|
58
|
|
59
|
# refldap://ldap.lternet.edu/o=LTER,dc=ecoinformatics,dc=org??sub
|
60
|
|
61
|
# refldap://directory.piscoweb.org/ou=groups,dc=piscoweb,dc=org??sub
|
62
|
|
63
|
# refldap://dataknp.sanparks.org/o=SANParks,dc=ecoinformatics,dc=org??sub
|
64
|
|
65
|
|