====== Cliente TLS ======
# yum install sssd openldap-clients
==== Exportar o certificado no servidor ====
# certutil -L -d /etc/openldap/certs -n "LDAP-CA" -a > /tmp/ca.crt
No cliente:
# mkdir /etc/openldap/cacerts
# scp ldap-master-01.exemplo.org:/tmp/ca.crt /etc/openldap/cacerts/
# cacertdir_rehash /etc/openldap/cacerts/
# authconfig \
> --disablesmartcard \
> --disablefingerprint \
> --enablesssd \
> --enablesssdauth \
> --enablelocauthorize \
> --disablemd5 \
> --passalgo=sha512 \
> --enablepamaccess \
> --enableldap \
> --enableldapauth \
> --disableldaptls \
> --ldapserver=ldaps://ldap-master-01.exemplo.org:636 \
> --ldapbasedn=dc=exemplo,dc=org \
> --enablemkhomedir \
> --disablecachecreds \
> --disablekrb5 \
> --disablekrb5kdcdns \
> --disablekrb5realmdns \
> --krb5kdc=" #" \
> --updateall
# systemctl enable sssd
# systemctl start sssd
# ldapwhoami -H ldaps://ldap-master-01.exemplo.org -x -D "cn=Manager,dc=exemplo,dc=org" -W
Enter LDAP Password:
dn:cn=Manager,dc=exemplo,dc=org
# ldapsearch -H ldaps://ldap-master-01.exemplo.org -x -D "cn=Manager,dc=exemplo,dc=org" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# exemplo.org
dn: dc=exemplo,dc=org
dc: exemplo
objectClass: top
objectClass: domain
# Usuarios, exemplo.org
dn: ou=Usuarios,dc=exemplo,dc=org
ou: people
ou: Usuarios
objectClass: top
objectClass: organizationalUnit
# Grupos, exemplo.org
dn: ou=Grupos,dc=exemplo,dc=org
ou: groups
ou: Grupos
objectClass: top
objectClass: organizationalUnit
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3
Para desabilitar consultas anônimas
# vim /etc/sssd/sssd.conf
[domain/
Consultar usuário:
# getent -s sss passwd
# getent -s sss group
# id -a