HP OSMS Blueprint: Directory Services on HP ProLiant Servers with SLES10

ManualsBrandsHP ManualsSoftwareHP Linux Caliper Software Electronic LTU

3. Copy the files newreq.pem and newcert.pem, which were created in step 2, to the CDS

client and move them to the /opt/symas/ssl/ directory. Rename the file newreq.pem

to clientkey.pem and the file newcert.pem to clientcert.pem.

4. Set the environment variables by running the following commands:

# export LDAPCONF=home_directory

# export LDAPRC=ldap.rc

The ldap.rc file should be created in the home_directory. If the current login name on

the CDS client is root, and the home directory for root is /root, then the commands are

as follows:

# export LDAPCONF=/root

# export LDAPRC=ldap.rc

5. Edit the ldap.rc file by adding the following contents:

URI ldaps://<CDS_SERVER>:636/

BASE dc=example,dc=com

SASL_MECH EXTERNAL

TLS_CERT /opt/symas/ssl/clientcert.pem

TLS_KEY /opt/symas/ssl/clientkey.pem

Where CDS_SERVER is the host name or IP address of the CDS server.

6. Add the following directive to the slapd.conf file:

TLSVerifyClient demand

This directive tells the CDS client to provide a valid certificate. If no certificate is provided

or the certificate is invalid, the session is terminated immediately.

7. Restart the CDS server.

8. Use the ldapsearch command on the CDS client to verify that the EXTERNAL

authentication mechanism is working by entering the following command:

# /opt/symas/bin/ldapsearch -b 'dc=osm,dc=example,dc=com' \

-s base -LLL

The following displays:

SASL/EXTERNAL authentication started

SASL username: emailAddress=osmsuser@cdsclient.test,

CN=cdsclient.test,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU

SASL SSF: 0

dn: dc=osm,dc=example,dc=com

objectClass: dcObject

objectClass: organizationalUnit

dc: osm

9. Use the ldapwhoami command to check the DN for the user by entering the following:

# /opt/symas/bin/ldapwhoami

The following is displayed:

SASL/EXTERNAL authentication started

SASL username: emailAddress=osmsuser@cdsclient.test,

CN=cdsclient.test,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU

SASL SSF: 0

dn:email=osmsuser@cdsclient.test,cn=cdsclient.test,

o=internet widgits pty ltd,st=some-state,c=au

Result: Success (0)

The DN for the user

email=osmsuser@cdsclient.test,cn=cdsclient.test,o=internet widgits

pty ltd,st=some-state,c=au can be mapped to the DN in the LDAP namespace by

Setting up Security for the CDS Server 27