LDAP Configuration - ABO

/usr/local/afs7/contrib/v7.8/python/3.4/bin/install_ldap_realm --client $CLIENT --url $URL --system-user $SYSTEM_USER_LOGIN --system-password $SYSTEM_USER_PASSWORD --search-base $SEARCH_BASE --login-attribute $LOGIN_ATTRIBUTE --name-attribute $NAME_ATTRIBUTE --mail-attribute $MAIL_ATTRIBUTE

• --client requires the name of the LDAP client, e.g., "ldap_default".
• --url requires the URL of the LDAP client, e.g., "ldaps://ldap.mysite.net:port".
• --system-user, e.g., "cn=reader,dc=domain,dc=net".
• --system-password requires the password of the system user, e.g., "my_password".
• --search-base requires the search base, e.g., "dc=domain,dc=net".
• --login-attribute requires the name of the login attribute sent by LDAP, e.g., "mail".
• --name-attribute requires the name of the name attribute sent by LDAP, e.g., "name".
• --mail-attribute requires the name of the mail attribute sent by LDAP, e.g., "mail".

/usr/local/afs7/contrib/v7.8/python/3.4/bin/install_ldap_realm --client ldap_default --url ldaps://ldap.mysite.net:port --system-user "cn=reader,dc=domain,dc=net" --system-password my_password --search-base "dc=domain,dc=net" --login-attribute mail --name-attribute name --mail-attribute mail

• Retrieve certificate used by LDAP for SSL (can be located in /etc/ldap/ssl/ca.cert)
• Run the following command:

  keytool -import -trustcacerts -file /path/to/ca.cert -keystore store.jks

  (Keytool can be find in the JDK, by installing sun-java6-jdk package for instance)

• Give and confirm the desired password when prompted.
• Trust the certificate when prompted.
• A store.jks file is generated. It will be used by the BO to check LDAP identity for every connection.
• Path to this file and password must be added to the bo-server configuration thanks to the following lines in the LDAP configuration file:

      <w:Param name="TrustStore">/usr/local/afs7/bo-server/cert/store.jks</w:Param>
      <w:Param name="TrustStorePassword">my_password</w:Param>