Mailinglist Archive: opensuse-autoinstall (68 mails)

[Darin Perusich <Darin.Perusich@xxxxxxxxxxxxxxxx>]

Henrik Schmidt wrote:
> /etc/ldap.conf is auto generated :
>
> # OpenLDAP SSL mechanism
> # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
> ssl     start_tls
> ldap_version    3
> pam_filter      objectClass=posixAccount
> nss_base_passwd ou=people,dc=ks,dc=mydomain,dc=uni-kiel,dc=de
> nss_base_shadow ou=people,dc=ks,dc=mydomain,dc=uni-kiel,dc=de
> nss_base_group  ou=group,dc=ks,dc=mydomain,dc=uni-kiel,dc=de
> tls_checkpeer   no
> #ssl on

Some additional values you may also want in /etc/ldap.conf

nss_map_attribute       uniqueMember member
timelimit       15
bind_timelimit  15
bind_policy     soft

> Two questions :
>
> 1. Why is tls_checkpeer set to "no" or set at all ?  I want have it
> either enabled or not set at all so that the configuration in
> /etc/openldap/ldap.conf is used as default.

tls_checkpeer is set to 'no' because you haven't defined tls_cacertdir
or tls_cacertfile which are required for peer verification. This is
described in nss_ldap(5).

> 2. Is "objectClass" in pam_filter objectClass=posixAccount spelled
> correctly ? I think it should be spelled objectclass with a small c.

Case doesn't matter for these identifiers but it's common practice when
an identifier is a concatenation of multiple words to use upper case for
the first letter the successive words. It's lends to the readability but
 that is it.

-- 
Darin Perusich
Unix Systems Administrator
Cognigen Corporation
395 Youngs Rd.
Williamsville, NY 14221
Phone: 716-633-3463
Email: darinper@xxxxxxxxxxxxxxxx
-- 
To unsubscribe, e-mail: opensuse-autoinstall+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-autoinstall+help@xxxxxxxxxxxx