Setting up ldap over TLS in kickstart file

General support questions
Post Reply
pbegou38
Posts: 1
Joined: 2018/06/14 10:27:39

Setting up ldap over TLS in kickstart file

Post by pbegou38 » 2018/06/14 10:35:10

I do not know if this is the right place to post this question, may be security or network topics but...

I'm facing a problem with setting up LDAP+TLS client authentication in a kickstart script on CentOS7 for several days.

Setting up manualy the config with system-config-authentication works but I need to automate this in kickstart for deploying cluster nodes.
This show that the server side is running fine.

At this time the message is

Code: Select all

#systemctl status sssd

....
sssd[be[default]][2732]: Could not start TLS encryption. error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate)
In my kickstart file I use:

Code: Select all

auth  --useshadow --enableldaptls --enablecache  --passalgo=sha512 --enableldap --enableldapauth --ldapserver="ldaps://my.ldap.server.fr" --ldapbasedn=dc=my,dc=base,dc=dn
Then in a post install script I download the server and ca certificates and stops nslcd that I do not use:

Code: Select all

echo "TLS_REQCERT allow">>/etc/openldap/ldap.conf
cd /etc/openldap/cacerts/ && wget http://xxx.xxx.xxx.xxx/Softwares7/LDAPCERTS/ca-bundle.crt && ln -s ca-bundle.crt $(openssl x509 -hash -in ca-bundle.crt -noout).0
cd /etc/openldap/certs/ && wget http://xxx.xxx.xxx.xxx/Softwares7/LDAPCERTS/server.crt
cd /
systemctl disable nslcd
I'm unable to see what system-config-authentication is doing more in it's setup.

Thanks for your help

Patrick

Post Reply