Project

General

Profile

metacat / docs / dev / setup-ldap-TLS.txt @ 8569

1
In ldap server host:
2
1. In /etc/ldap/slapd.conf (or /etc/openldap/slapd.conf) file, remove the comment symbols of two lines:
3
   TLSCertificateFile /var/lib/ldap/cert/cacert.pem
4
   TLSCertificateKeyFile /var/lib/ldap/cert/privkey.pem
5

    
6
2. In /var/lib/ldap/cert directory (which should be as same as the TLSCertificateKeyFile dir in slapd.conf file), generate private key:
7
   openssl genrsa -out privkey.pem 1024
8

    
9
3. In /var/lig/ldap/cert directory, generate self-signed certificate:
10
   openssl req -new -x509 -days 900  -key privkey.pem -out cacert.pem
11
 
12
   The example to set up a certificate:
13
   Country Name (2 letter code) [GB]:US
14
   State or Province Name (full name) [Berkshire]:California
15
   Locality Name (eg, city) [Newbury]:Santa Barbara
16
   Organization Name (eg, company) [My Company Ltd]:UCSB
17
   Organizational Unit Name (eg, section) []:NCEAS
18
   Common Name (eg, your name or your server's hostname) []:dev.nceas.ucsb.edu
19
   (Note: don't put port number here)
20
   Email Address []:tao@nceas.ucsb.edu
21

    
22
   Note: the country name, state name (full name) and host name should be correct ones.
23

    
24
4. Restart ldap server.
25

    
26
For java client, e.g, Metacat:
27

    
28
1. Copy the certificate file - cacert.pem from server host to $JAVA_HOME/jre/lib/security directory 
29
   in client host which can be different to the server host.
30
   Note: the $JAVA_HOME is the java home under which Metacat is running. 
31

    
32
2. In $JAVA_HOME/jre/lib/security directory, import the certificate into key store:
33
   keytool -import -alias knp-ldap -file cacert.pem -keystore cacerts
34

    
35
3. Restart tomcat.
36

    
37

    
38
For other client, e.g, ldapsearch:
39

    
40
1. In client host (which can be different to ldap server host), modify the ldap.conf in /etc/lodap 
41
   (or /etc/openldap) directory by adding:
42
   TLS_REQCERT try
43
   TLS_CACERT /usr/share/ssl/ldapcerts/cacert.pem
44

    
45
2. Copy the certificate file - cacert.pem from server host to  /usr/share/ssl/ldapcerts/ in client host.
46

    
47
3. Make a test search:
48
   ldapsearch -x -h ldap.ecoinformatics.org -b dc=ecoinformatics,dc=org -LLL -ZZ uid=tao dn
49
   and you will see something like:
50

    
51
   dn: uid=tao,o=NCEAS,dc=ecoinformatics,dc=org
52

    
53
   dn: uid=tao,ou=Account,dc=ecoinformatics,dc=org
54

    
55
   # refldap://directory.piscoweb.org/ou=people,dc=piscoweb,dc=org??sub
56

    
57
   # refldap://ldap.ecoinformatics.org/ou=people,o=ucnrs.org??sub
58

    
59
   # refldap://ldap.lternet.edu/o=LTER,dc=ecoinformatics,dc=org??sub
60

    
61
   # refldap://directory.piscoweb.org/ou=groups,dc=piscoweb,dc=org??sub
62

    
63
   # refldap://dataknp.sanparks.org/o=SANParks,dc=ecoinformatics,dc=org??sub
64

    
65