1. Home
  2. Configuring
  3. How do I connect an external host to BCM LDAP?
Searching...

How do I connect an external host to BCM LDAP?

Contents

Background

This process can be followed to allow external hosts to connect to and query the BCM LDAP instance.

The cmd.conf file contains some of the required values cmdaemon uses to bind with the Bright provided LDAP. You can review the values with this command.

# grep LDAP /cm/local/apps/cmd/etc/cmd.conf

This will return the LDAP parameters, such as:

LDAPHost = "ldapserver"
LDAPUser = "root"
LDAPPass = "PASSWORD REDACTED"
LDAPReadOnlyUser = "readonlyroot"
LDAPReadOnlyPass = "PASSWORD REDACTED"
LDAPSearchDN = "dc=cm,dc=cluster"
LDAPProtocol = "ldaps"
LDAPPort = 636
LDAPCACertificate = "/cm/local/apps/openldap/etc/certs/ca.pem"
LDAPCertificate = "/cm/local/apps/openldap/etc/certs/ldap.pem"
LDAPPrivateKey = "/cm/local/apps/openldap/etc/certs/ldap.key"

From this output, you can gather the bind DN to use, which in this case would be: 

cn=readonlyroot,dc=cm,dc=cluster

Steps

Below is an example configuration that could be used to access the BCM-provided LDAP service from a non-BCM-managed server. One important requirement is generating a certificate for the external host, which is generated with cm-component-certificate.

On the Active Head Node

1. Start by opening the firewall on the external interface on the headnode(s) by modifying the Shorewall rules and adding the line: ACCEPT net fw tcp 636

# vim /etc/shorewall/rules
# Add this line:
ACCEPT net fw tcp 636

2. Restart shorewall:

# systemctl restart shorewall

3. Repeat the steps above if using a passive head node in an HA pair.

On the External Servers:

1. Install the nss-pam-ldapd, openldap, and openldap-clients packages. 

On a Red Hat based system:
# dnf install nss-pam-ldapd openldap openldap-clients

2. Make a backup of /etc/pam.d/.

cp -r /etc/pam.d /etc/pam.d.bak


3. Then copy over these files from a compute node.

/etc/pam.d/system-auth
/etc/pam.d/password-auth
/etc/nslcd.conf
/etc/openldap/ldap.conf


4. Edit /etc/hosts on the external servers and add the following entries:
<head_node_ip> localmaster master ldapserver

5. Create the path /cm/local/apps/openldap/etc/certs on the external server

mkdir -p /cm/local/apps/openldap/etc/certs

6. Next, you must generate an LDAP certificate for the external server; on the active headnode, run this command (substituting the external hostname below):

# cm-component-certificate --generate=<hostname of the external server>

7. This will generate two files (ldap.pem, ldap.key) in the current directory.

8. Copy these files to the external server and place them in the /cm/local/apps/openldap/etc created on the external server in Step 5.

9. Next, set the permissions on /cm/local/apps/openldap to be owned by the nslcd user.

# chown -R nslcd:ldap /cm/local/apps/openldap/etc

 

10. Check that the ldap entry is added to /etc/nsswitch.conf on the external server.

# grep ldap /etc/nsswitch.conf
passwd: files sss ldap
shadow: files sss ldap
group: files sss ldap

11. Finally, restart the nslcd service on the external node.

# systemctl restart nslcd

12. The “getent passwd” command on the external server should show the LDAP users from BCM now.

Updated on August 12, 2025
Tagged:

Related Articles