From Fedora Project Wiki


How to configure a generic LDAP client to access trusted users and groups


This page summarizes what needs to be set for a generic LDAP client. If you are testing with nss-pam-ldapd or SSSD, feel free to jump to the corresponding test cases where we explain the setup in a greater detail.

How to test

Configure a generic LDAP client

The configuration of the LDAP client will point to a "compat tree" which is a parallel LDAP tree autogenerated from the main tree and tailored so that it matches the expectations legacy clients might have. The configuration includes two important items:

  1. LDAP URI - The URI is simply the host name of the IPA server prefixed with ldap://. For example, if the hostname was, then the URI would be ldap://
  2. LDAP search base - The LDAP search base we need consists of the base DN prefixed with "cn=compat", which is the container the compat tree lives in. To get the base DN, take the IPA domain name and substitute each dot for a "dc=". For example, the IPA domain would yield base DN dc=ipa,dc=example,dc=org. The full search base you want to use would then be cn=compat,dc=ipa,dc=example,dc=org

Download the CA certificate

You can download the CA certificate of the IPA server from the server itself:

wget -O /etc/openldap/cacerts/ipa.crt

And then generate hashes for the openldap library:

cacertdir_rehash /etc/openldap/cacerts/

Run the tests

When your client is set up, you can proceed to obtain identities and authenticate. In general this would include calling getent:

$ getent passwd

And also authenticating against your client:

$ ssh -l

Feel free to create additional column in the results table on the test day page or just ping us on IRC with your test results!

Expected Results

Both users from the IPA domain and the trusted domain should be able to log in.