1. Home
  2. Configuring
  3. How do I connect an external host to Bright’s LDAP?

How do I connect an external host to Bright’s LDAP?

In terms of the LDAP parameters, the cmd.conf file contains some of the required values that cmdaemon uses to bind with the Bright provided LDAP. You can review the values with this command.

[root@headnode ~]# grep LDAP /cm/local/apps/cmd/etc/cmd.conf

The bind dn you could use is : cn=readonlyroot,dc=cm,dc=cluster

Below is an example configuration that could be used to access the Bright provided LDAP service from a non-bright managed CentOS 7 server. One of the important requirements is generating a certificate for the external host, which is generated with cm-component-certificate.

External servers accessing Bright LDAP:

Start by opening the firewall on the external interface on the headnode:
Edit /etc/shorewall/rules
Add this line:
ACCEPT net fw tcp 636

Restart shorewall:
service shorewall restart

On the external servers:
Install the nss-pam-ldapd, openldap, openldap-clients packages. Then make a backup of /etc/pam.d/.
Then copy over these files from a compute node.

Edit /etc/hosts on the external servers and add some entries:
<head_node_ip> localmaster master ldapserver
Create the path /cm/local/apps/openldap/etc/certs on the external server, copy the certificates across from the headnode.

You’ll need to generate a specific LDAP certificate for the external server.
On the headnode, run this command (substituting the external hostname below):
cm-component-certificate –generate=<hostname of the external server>

This will generate two files (ldap.pem, ldap.key) in the current directory. Copy these files over to the external server overwriting the existing ldap.pem and ldap.key files in /cm/local/apps/openldap/etc on the external server.

Next, set the permissions on /cm/local/apps/openldap to be owned by the nslcd user.
chown -R nslcd:ldap /cm/local/apps/openldap/etc

Check that the ldap entry is added to /etc/nsswitch.conf on the external server.
passwd: files sss ldap
shadow: files sss ldap
group: files sss ldap

Finally, restart the nslcd service on the external node.
service nslcd restart

The “getent passwd” command on the external server should show the LDAP users from Bright now.

Updated on December 15, 2020

Related Articles