LDAP config changes 2023

In an effort to enhance security in our LDAP infrastructure, we're now requiring TLS encryption between our clients and the backend hosts.   This change requires a few configuration edits to implement on each client. 

Cert file:

Please make sure you have the /etc/ssl/certs/cacert-oec.pem file in place.

Once these changes are in place, you can restart the LDAP server process by rebooting, or  by typing:

#systemctl restart nscd

Auto Mounting:

Many systems use autofs in order to mount home directories and perhaps other remote file systems.  If your system falls under this category, you will need to also edit the /etc/auto.home file and make the following changes:

• Old code:

  • department=$(ldapsearch -LLL -x uid=$user dn | sed -e 's/.*ou=//; s/,.*//')

• New code:

  • department=$(ldapsearch -LLL -ZZ -x uid=$user dn | sed -e 's/.*ou=//; s/,.*//')

    • (Note the addition of the -ZZ parameter)

The -ZZ directive tells the ldapsearch to use encryption for its connection.

You can download the cacert-oec.pem file here:  cacert-oec.pem