Having spent too much of this week debugging problems around migrating ldap servers from RHEL5 to RHEL6, here are some miscellaneous notes to self:
The service is named
ldapon RHEL5, and
slapdon RHEL6 e.g. you do
service ldap starton RHEL5, but
service slapd starton RHEL6
On RHEL6, you want all of the following packages installed on your clients:
yum install openldap-clients pam_ldap nss-pam-ldapd
This seems to be the magic incantation that works for me (with real SSL certificates, though):
authconfig --enableldap --enableldapauth \ --ldapserver ldap.example.com \ --ldapbasedn="dc=example,dc=com" \ --update
Be aware that there are multiple ldap configuration files involved now. All of the following end up with ldap config entries in them and need to be checked:
Note too that
/etc/openldap/ldap.confuses uppercased directives (e.g.
URI) that get lowercased in the other files (
uri). Additionally, some directives are confusingly renamed as well - e.g.
tla_cacertfilein most of the others. :-(
If you want to do SSL or TLS, you should know that the default behaviour is for ldap clients to verify certificates, and give misleading bind errors if they can't validate them. This means:
if you're using self-signed certificates, add
/etc/openldap/ldap.confon your clients, which means allow certificates the clients can't validate
if you're using CA-signed certificates, and want to verify them, add your CA PEM certificate to a directory of your choice (e.g.
/etc/pki/tls/certs, for instance), and point to it using
RHEL6 uses a new-fangled
/etc/openldap/slapd.ddirectory for the old
/etc/openldap/slapd.confconfig data, and the RHEL6 Migration Guide tells you to how to convert from one to the other. But if you simply rename the default
slapd.ddirectory, slapd will use the old-style
slapd.conffile quite happily, which is much easier to read/modify/debug, at least while you're getting things working.
If you run into problems on the server, there are lots of helpful utilities included with the
openldap-serverspackage. Check out the manpages for