Note: In this document where ever control nodes are mentioned, use the correct control node names based on Lenovo or Dell systems. Obtain the CA certificate file that is configured on the customer's AD/LDAP server before proceeding.
I. Enable with TLS support
1. Enable the LDAP authentication with ap_external_ldap cli
ap_external_ldap enable --server ldap://ADserverHostnname --port 389 --search-base-dn "dc=myldaporg,dc=com" --search_user_dn "cn=usernamwithoutspace, dc=domain,dc=com" --search_user_password "SearchuserPassword" --searchfield sAMAccountName 2. Copy the LDAP SSL certificates to the control nodes
- Copy the CA certificate file (cacert.pem) given by the customer to control nodes at the location /etc/openldap/cacerts/
3. Back up the file /etc/sssd/sss.conf on all the control nodes
ssh e1n1 ‘cp /etc/sssd/sss.conf cp /etc/sssd/sss.conf_backup’
ssh e2n1 ‘cp /etc/sssd/sss.conf cp /etc/sssd/sss.conf_backup’
ssh e3n1 ‘cp /etc/sssd/sss.conf cp /etc/sssd/sss.conf_backup’4. To support TLS1.2 on port 389, update the /etc/sssd/sssd.conf file
On the node e1n1, update the domain section [external-ldap-domain] in the file /etc/sssd/sss.conf
- Replace the parameter
ldap_tls_reqcert = neverwith
ldap_tls_reqcert = demand- Add the following parameters
ldap_id_use_start_tls = True
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem 5. Restart SSSD
- Restart sssd service on e1n1
systemctl stop sssd
systemctl start sssd
systemctl status sssd6.Repeat the step-3 and 4 on the other control nodes e1n2/e1n3 (Lenovo) or e2n1/e3n1 (Dell)
7. Verify the overall LDAP status on the system
ap_external_ldap status 8. A sample content of /etc/sssd/sss.conf changes for an LDAP domain Contents of typical sss.conf after the changes are as follows
[domain/external-ldap-domain]
ldap_uri = ldap://<windoesadhostname>:389
ldap_user_search_base = DC=nzdev,DC=com
ldap_default_bind_dn = CN=specialcharuser,CN=Users,DC=nzdev,DC=com
ldap_default_authtok = AAAgAN255nSkFndmI2TeGWiMzQr6lf5DIWHwQPJloB2BjTTox9UQDJewD dmPwBnaHwIWpNHHP/0uF9DYPuxYLlxJmaQQaKwRZysXDDbT+Y34zMhNAAECAw==
#The below parameters and values should not be changed
ldap_default_authtok_type = obfuscated_password
ldap_schema = AD
ldap_group_name = CN
ldap_user_name = sAMAccountName
ignore_group_members = True
auth_provider = ldap
ldap_rfc2307_fallback_to_local_users = True
ldap_referrals = False
override_homedir = /home/%u
override_shell = /bin/bash
ldap_network_timeout = 3
ldap_opt_timeout = 60
cache_credentials = True
entry_cache_group_timeout = 0
entry_cache_user_timeout = 0
ldap_search_timeout = 30
id_provider = ldap
entry_cache_timeout = 600
case_sensitive = False
ldap_id_mapping = True
ldap_tls_reqcert = demand
ldap_id_use_start_tls = True
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pemII. Enable with SSL support:
1.Enable the LDAP authentication with ap_external_ldap cli
ap_external_ldap enable --server ldaps://ADserverHostnname --port 636 --search-base-dn "dc=myldaporg,dc=com" --search_user_dn "cn=usernamwithoutspace, dc=domain,dc=com" --search_user_password "SearchuserPassword" --searchfield sAMAccountName 2. Copy the LDAP SSL certificates to control nodes
- Copy the CA certificate file (cacert.pem) given by the customer to the control nodes at the location /etc/openldap/cacerts/
3. Back up the file /etc/sssd/sss.conf on all the control nodes
- Take the backup of /etc/sssd/sss.conf on all the control nodes
ssh e1n1 ‘cp /etc/sssd/sss.conf cp /etc/sssd/sss.conf_backup’
ssh e2n1 ‘cp /etc/sssd/sss.conf cp /etc/sssd/sss.conf_backup’
ssh e3n1 ‘cp /etc/sssd/sss.conf cp /etc/sssd/sss.conf_backup’4. Update the /etc/sssd/sss.conf file to support SSL on port 636
On the node e1n1, update the domain section [external-ldap-domain] in /etc/sssd/sss.conf
- Replace the parameter
ldap_tls_reqcert = never with
ldap_tls_reqcert = demand- Add the following parameters
ldap_id_use_start_tls = False
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem5.Restart SSSD
- Restart the sssd service on e1n1
systemctl stop sssd
systemctl start sssd
systemctl status sssd6. Repeat the step-3 and 4 on other control nodes e1n2/e1n3 (Lenovo) or e2n1/e3n1 (Dell)
7.Verify the LDAP status:
ap_external_ldap status 8. A sample content of /etc/sssd/sss.conf changes for an LDAP domain Contents of typical sss.conf after the changes are as follows
[domain/external-ldap-domain]
ldap_uri = ldaps://Windowsad-dev1.nzdev.com:636
ldap_user_search_base = DC=nzdev,DC=com
ldap_default_bind_dn = CN=specialcharuser,CN=Users,DC=nzdev,DC=com
ldap_default_authtok = AAAgAN255nSkFndmI2TeGWiMzQr6lf5DIWHwQPJloB2BjTTox9UQDJewDdmPwBnaHwIWpNHHP/0uF9DYPuxYLlxJmaQQaKwRZysXDDbT+Y34zMhNAAECAw==
#The below parameters and values should not be changed
ldap_default_authtok_type = obfuscated_password
ldap_schema = AD
ldap_group_name = CN
ldap_user_name = sAMAccountName
ignore_group_members = True
auth_provider = ldap
ldap_rfc2307_fallback_to_local_users = True
ldap_referrals = False
override_homedir = /home/%u
override_shell = /bin/bash
ldap_network_timeout = 3
ldap_opt_timeout = 60
cache_credentials = True
entry_cache_group_timeout = 0
entry_cache_user_timeout = 0
ldap_search_timeout = 30
id_provider = ldap
entry_cache_timeout = 600
case_sensitive = False
ldap_id_mapping = True
ldap_tls_reqcert = demand
ldap_id_use_start_tls = False
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem