LDAP config changes 2023

In an effort to enhance security in our LDAP infrastructure, we're now requiring TLS encryption between our clients and the backend hosts.   This change requires a few configuration edits to implement on each client. 

The files that require edits include:


Note: the key parts are:


/etc/ldap.conf

--------------------

base dc=eng,dc=ucsd,dc=edu

URI     ldap://ldap11.eng.ucsd.edu ldap://ldap12.eng.ucsd.edu ldap://ldap13.eng.ucsd.edu

#URI    ldap://vip-ldap01.eng.ucsd.edu


ldap_version 3

pam_password md5


ssl start_tls

tls_cacert /etc/ssl/certs/cacert-oec.pem


===================================================================

/etc/ldap/ldap.conf

-----------------------

BASE    dc=eng,dc=ucsd,dc=edu

URI     ldap://ldap11.eng.ucsd.edu ldap://ldap12.eng.ucsd.edu ldap://ldap13.eng.ucsd.edu

#URI    ldap://vip-ldap01.eng.ucsd.edu


#SIZELIMIT      12

#TIMELIMIT      15

#DEREF          never

# TLS certificates (needed for GnuTLS)


TLS_CACERT      /etc/ssl/certs/cacert-oec.pem

TLS_REQCERT     allow


Cert file:

Please make sure you have the /etc/ssl/certs/cacert-oec.pem file in place.

Once these changes are in place, you can restart the LDAP server process by rebooting, or  by typing:

#systemctl restart nscd

Auto Mounting:

Many systems use autofs in order to mount home directories and perhaps other remote file systems.  If your system falls under this category, you will need to also edit the /etc/auto.home file and make the following changes:

The -ZZ directive tells the ldapsearch to use encryption for its connection.

You can download the cacert-oec.pem file here:  cacert-oec.pem