FedFsOpenLdapServer0.10
From Linux NFS
Chucklever (Talk | contribs) (→Run the jumpstart tool) |
Chucklever (Talk | contribs) (→Run the jumpstart tool) |
||
Line 55: | Line 55: | ||
If you want a secure installation, specify "--security=tls". The nsdb-jumpstart tool will create a self-signed x.509 certificate for this server instance that can be distributed to your file servers. You can find the certificate in /etc/openldap/nsdb-cert.pem. | If you want a secure installation, specify "--security=tls". The nsdb-jumpstart tool will create a self-signed x.509 certificate for this server instance that can be distributed to your file servers. You can find the certificate in /etc/openldap/nsdb-cert.pem. | ||
- | It is strongly recommended that you use TLS security, as described above, when setting up NSDBs on open networks. | + | ''It is strongly recommended that you use TLS security, as described above, when setting up NSDBs on open networks.'' |
Latest revision as of 20:19, 3 February 2014
Contents |
Project: fedfs-utils
[ Project Home | News | Downloads | Docs | Mailing Lists | Source Control | Issues ]
Configuring an OpenLDAP server for use with FedFS
fedfs-utils 0.10 provides a tool for creating an NSDB service using OpenLDAP. The tool is called "nsdb-jumpstart." nsdb-jumpstart assumes that OpenLDAP is installed, but no slapd service has been configured.
Uninstalling
If at any point you find the need to erase everything and start over, use:
# systemctl stop slapd.service # systemctl disable slapd.service # rm -rf /etc/openldap /var/lib/ldap
# yum erase openldap-servers openldap-clients
This removes all slapd instances and software.
Networking pre-requisites
Unless this LDAP server installation will be accessed only via localhost, the hosting OS must be assigned a fixed IP address with a consistent forward and reverse DNS mapping.
On some RH-based distributions, networking doesn't start until a user logs in on the console. If this is the case, configure the system's network to start automatically.
By default on modern RH-based distributions, an IP-based firewall is enabled during a typical install. Allow other systems to access the LDAP service on this machine by adjusting the firewall configuration. Or disable the firewall entirely if you are sure that's safe to do.
Install the OpenLDAP server software
After installing, updating, and configuring Fedora, install the pre-packaged OpenLDAP server components with:
# yum install openldap openldap-clients openldap-servers
This command adds a new UID and GID, which is user and group "ldap", (55, 55).
The OpenLDAP community recommends building and installing the OpenLDAP server software from source. The source distribution can be found here.
Run the jumpstart tool
The jumpstart tool is run as root:
# nsdb-jumpstart install
Answer the interview questions. When it is complete, you should have a running NSDB.
If you want a secure installation, specify "--security=tls". The nsdb-jumpstart tool will create a self-signed x.509 certificate for this server instance that can be distributed to your file servers. You can find the certificate in /etc/openldap/nsdb-cert.pem.
It is strongly recommended that you use TLS security, as described above, when setting up NSDBs on open networks.