How to configure a generic LDAP client to access trusted users and groups
This page summarizes what needs to be set for a generic LDAP client. If you are testing with nss-pam-ldapd or SSSD, feel free to jump to the corresponding test cases where we explain the setup in a greater detail.
How to test
Configure a generic LDAP client
The configuration of the LDAP client will point to a "compat tree" which is a parallel LDAP tree autogenerated from the main tree and tailored so that it matches the expectations legacy clients might have. The configuration includes two important items:
- LDAP URI - The URI is simply the host name of the IPA server prefixed with
ldap://. For example, if the hostname was
srv.ipa.example.org, then the URI would be
- LDAP search base - The LDAP search base we need consists of the base DN prefixed with "cn=compat", which is the container the compat tree lives in. To get the base DN, take the IPA domain name and substitute each dot for a "dc=". For example, the IPA domain
ipa.example.orgwould yield base DN
dc=ipa,dc=example,dc=org. The full search base you want to use would then be
Download the CA certificate
You can download the CA certificate of the IPA server from the server itself:
wget http://srv.ipa.example.org/ipa/config/ca.crt -O /etc/openldap/cacerts/ipa.crt
And then generate hashes for the openldap library:
Run the tests
When your client is set up, you can proceed to obtain identities and authenticate. In general this would include calling
$ getent passwd email@example.com
And also authenticating against your client:
$ ssh client.example.org -l firstname.lastname@example.org
Feel free to create additional column in the results table on the test day page or just ping us on IRC with your test results!
Both users from the IPA domain and the trusted domain should be able to log in.