LDAP Configuration - ABO

Install the Back Office and the Update Manager

Product
ABO
AFS_Version
7.10
Category
Technical Notes

In order to configure the BO-WS connected to a LDAP, run the following command:

/usr/local/afs7/contrib/python/3.5/bin/install_ldap_realm --client $CLIENT --url $URL --system-user $SYSTEM_USER_LOGIN --system-password $SYSTEM_USER_PASSWORD --search-base $SEARCH_BASE --login-attribute $LOGIN_ATTRIBUTE --name-attribute $NAME_ATTRIBUTE --mail-attribute $MAIL_ATTRIBUTE

Where:

  • --client requires the name of the LDAP client, e.g., "ldap_default".
  • --url requires the URL of the LDAP client, e.g., "ldaps://ldap.mysite.net:port".
  • --system-user, e.g., "cn=reader,dc=domain,dc=net".
  • --system-password requires the password of the system user, e.g., "my_password".
  • --search-base requires the search base, e.g., "dc=domain,dc=net".
  • --login-attribute requires the name of the login attribute sent by LDAP, e.g., "mail".
  • --name-attribute requires the name of the name attribute sent by LDAP, e.g., "name".
  • --mail-attribute requires the name of the mail attribute sent by LDAP, e.g., "mail".

Example

/usr/local/afs7/contrib/python/3.5/bin/install_ldap_realm --client ldap_default --url ldaps://ldap.mysite.net:port --system-user "cn=reader,dc=domain,dc=net" --system-password my_password --search-base "dc=domain,dc=net" --login-attribute mail --name-attribute name --mail-attribute mail

It is necessary to create a TrustStore for SSL LDAP configuration.

To do so:

  • Retrieve certificate used by LDAP for SSL (can be located in /etc/ldap/ssl/ca.cert)
  • Run the following command:

    keytool -import -trustcacerts -file /path/to/ca.cert -keystore store.jks

    (Keytool can be find in the JDK, by installing sun-java6-jdk package for instance)

  • Give and confirm the desired password when prompted.
  • Trust the certificate when prompted.
  • A store.jks file is generated. It will be used by the BO to check LDAP identity for every connection.
  • Path to this file and password must be added to the bo-server configuration thanks to the following lines in the LDAP configuration file:

    <w:Param name="TrustStore">/usr/local/afs7/bo-server/cert/store.jks</w:Param>
    <w:Param name="TrustStorePassword">my_password</w:Param>