CentOS7: Setting Up Ldap Over TLS In Kickstart File

Home » CentOS » CentOS7: Setting Up Ldap Over TLS In Kickstart File
CentOS 3 Comments

Hi,

I’m facing a problem with setting up LDAP+TLS client authentication in a kickstart script on CentOS7 for several days.

Setting up manualy the config with system-config-authentication works but I need to automate this in kickstart for deploying cluster nodes. This show that the server side is running fine.

At this time the message is

#systemctl status sssd

|…. sssd[be[default]][2732]: Could not start TLS encryption. error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate)|

In my kickstart file I use:
auth

3 thoughts on - CentOS7: Setting Up Ldap Over TLS In Kickstart File

  • I’m a bit stumped. My recipe was similar:

    authconfig –enableshadow –passalgo=sha512 –enablefingerprint –enableldap –enableldapauth –ldapserver=ldap.ourcompany.com –ldapbasedn=dc=ourcompany,dc=com –enablecache –enableldaptls

    then, in %post:

    curl http://www.ourcompany.com/ca/ca.crt \
    -s -o /etc/openLDAP/cacerts/ca.ourcompany.com.pem
    /usr/sbin/cacertdir_rehash /etc/openLDAP/cacerts

    And that did the trick.

    The main difference is that you install a bundle of certifcates rather than a single one. There are two issues:

    1. Hashing a certificate bundle does no good as far as I know. Hashes
    only work on a single cert, right?

    2. Unless told otherwise, openssl looks in only one place for a cert
    bundle: ${OPENSSLDIR}/cert.pem (where the value of OPENSSLDIR can
    be discovered by running “openssl version -d”).

    You might take a peek at the ldap_tls_cacertdir discussion in the sssd-ldap(5) man page, which specifies that certificates should be in individual files.

    My suggestion would be to isolate the CA certificate used to sign your LDAP server certs, install that as a separate file in ldap_tls_cacertdir, and run cacertdir_rehash to get the hash correct.

  • You probably can avoid setting up nslcd in the first place:

    auth  –useshadow –passalgo=sha512 –enablesssd –enablesssdauth
    –enableldap –ldapserver=”ldaps://my.ldap.server.fr”
    –ldapbasedn=dc=my,dc=base,dc=dn

    See the man page for update-ca-trust.

    I *think* you need to do something more like:

    cd /etc/pki/ca-trust/source/anchors/
    wget http://xxx.xxx.xxx.xxx/Softwares7/LDAPCERTS/ca-bundle.crt update-ca-trust extract

    …you shouldn’t have to do anything with the server’s cert specifically.

  • Thanks Paul and Gordon for your reply.

    I’m not sure, but I think the problem is setting up ldap+TLS while the certificates are not uploaded on the server. So I decide to setup LDAP in a
    “post” section only, adding the “–enablesssd –enablesssdauth” options suggested by Gordon too.

    in the kickstart file:
    *auth