Kerberos and LDAP

LDAP Servers, Prep Work

•

Create user and group (ldap/ldap)

•

Make/buy signed SSL certificate

–

CN in SSL certificate should be canonical name of

server as reported by reverse DNS

•

I.e. moonshine.example.com

–

If possible, list user-friendly name in x509v3 Subject

Alternative Name field

•

Within usr_cert section of openssl.cnf:

–

subjectAltName=DNS:ldap1.example.com

•

OpenSSL doesn’t have support for prompting for this field, so

you’ll have to edit openssl.cnf for each cert you generate

–

chmod 640 slapd-key.pem; chgrp ldap slapd-key.pem