LDAP-UX - How to setup LDAP-UX to authenticate on OpenLDAP

sexta-feira, 19 de abril de 2013

First of all, LDAP-UX does not support updating an OpenLDAP directory, so to get this to work, add the following profile to the LDAP directory (requires the DUAConfig.schema and possibly ldap-printer.schema):


dn: cn=uxprofile,ou=Profiles,dc=example,dc=com
cn: uxprofile
objectClass: DUAConfigProfile
defaultSearchBase: dc=example,dc=com
defaultSearchScope: one
profileTTL: 3600
serviceSearchDescriptor: passwd:OU=People,DC=example,DC=com
serviceSearchDescriptor: group:OU=Group,DC=example,DC=com
authenticationMethod: tls:simple
defaultServerList: <space separated list of LDAP server hosts:ports>



If you don't have the LDAP-UX package installed...

# swinstall -s /yourDepot

Create a key-store:

/opt/ldapux/contrib/bin/certutil -N -d /etc/opt/ldapux

Import the CA cert:
/opt/ldapux/contrib/bin/certutil -A -n ca-cert -t "C,," -d /etc/opt/ldapux -a -i cacert.crt

Configure LDAP-UX:
/opt/ldapux/config/setup
...specify TLS and use port 389.

NOTE: do NOT attempt to extend any sachems -- OpenLDAP does not support this.