LDAPS against a FreeIPA server

Once you have a Directory server installed, you are going to want to query against it from throughout the Network. For many reasons, you will want traffic to the server encrypted. Here are the steps to quest against a server using LDAPS from a remote machine.

Get the CA cert from your IPA server and add it to your openldap set of accepted certificates.  It needs to end in pem.

sudo scp $IPASERVER:/etc/ipa/ca.crt /etc/openldap/cacerts/ipa-ca.pem

Get the c-rehash utility, which is in the  openldap  Perl utilities RPM:

sudo yum install openssl-perl

Rehash the CA cert directory

sudo c_rehash /etc/openldap/cacerts

And now query:

ldapsearch   -x  -H 'ldaps://$IPASERVER'  -D "cn=Directory Manager" -w $PASSWORD -b "$IPA_BASE_DN"


4 thoughts on “LDAPS against a FreeIPA server

  1. Do you know how to map the role to the user with the LDAP as the identity service.? Right now, i am using OpenStack Keystone Folsom2012.2 version and OpenLDAP. I can get the tenant information with user_id/pw but can not get the role information. i configured the role with attribute “roleOccupant” in the LDAP service.

  2. In the default set up, the role is a done as an object under the tenant object. Specifically:

    Tenant is GroupOfName. The Role is OrganizationalRole. The RoleAssignemnt (called grants in the V3 API) is done (as you alluded) by putting the user DN in RoleOccupant attribue. Thus it is simple to get the list of all users with a specific role in a tenant, as it is just all of the values in the RoleOccupant attribute. To get the set of roels for a given user in a tenant, you need to iterate through all of the roles and see which have the user in the RoleOccupant attribute.

    If you have further questions please direct them to the Openstack mailing list so the larger community can benefit from the answers.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.