Use the following task to prepare Ubantu-based
PowerFlex servera for use with LDAP.
Prerequisites
Ensure the following:
The OpenLDAP package is installed.
Each LDAP server has a separate base DN.
Steps
On the
PowerFlex component host (MDM, Gateway or LIA), ensure that it is possible to establish a TCP connection to the LDAP server's address.
Run the following command, and wait until the operation is finished:
sudo apt-get update
Run:
sudo apt-get install openssh-client ldap-utils
In the OpenLDAP client configuration file,
/etc/ldap/ldap.conf, find the value of the
TLS_CACERTDIR parameter and write down the path. For non-secure LDAP, skip this step and jump to step 8.
Import the certificate files from the LDAP server to the certificate directory,
<TLS_CACERTDIR>, configured in the LDAP client configuration file,
/etc/ldap/ldap.conf.For non-secure LDAP, skip this step and jump to step 8.
NOTE:The method of CA certificate import for the OpenLDAP client may differ based on your organization's security guidelines. Consult your security administrator for steps to import the CA certificates for use with LDAP client.
Run:
openssl rehash /etc/ssl/certs
NOTE:For non-secure LDAP, skip this step and jump to step 8.
Run the following command and wait until the operation is finished:
sudo update-ca-certificates
NOTE:For non-secure LDAP, skip to the next step.
Add the following lines to the
/etc/ldap/ldap.conf file and ensure that all the other lines are commented out:
URI ldaps://example.ldaps.local/
or
URI ldap://server.example.com/
The file contents should be similar to the following example:
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
# TLS_CACERT /etc/ssl/certs/ca-certificates.crt
URI ldaps://example.ldaps.local/
For each LDAP server's certificates, test that each certificate is valid.