LDAP config changes 2023
In an effort to enhance security in our LDAP infrastructure, we're now requiring TLS encryption between our clients and the backend hosts. This change requires a few configuration edits to implement on each client.
The files that require edits include:
Note: the key parts are:
For both files
comment out the URI to ldap://vip-ldap01.eng.ucsd.edu
Ensure the URI includes ldap 11/12/13
add "ssl start_tls"
add "tls_cacert /etc/ssl/certs/cacert-oec.pem"
Change TLS_REQCERT to "allow"
Please make sure you have the /etc/ssl/certs/cacert-oec.pem file in place.
Once these changes are in place, you can restart the LDAP server process by rebooting, or by typing:
#systemctl restart nscd
Many systems use autofs in order to mount home directories and perhaps other remote file systems. If your system falls under this category, you will need to also edit the /etc/auto.home file and make the following changes:
(Note the addition of the -ZZ parameter)
The -ZZ directive tells the ldapsearch to use encryption for its connection.