The <LdapConfig> section must contain at least:
- 1 <Service>
- 1 canonicalization, that is, 1 <Identity Map> or <Identity Search> element
- Create the <LdapConfig> section by adding the following elements to the TdgssUserConfigFile.xml. The <LdapConfig> section must be located directly following the <Mechanisms> section and on the same level as the <Mechanisms> section.
For example:
<LdapConfig> <Services> <Service ... </Service> <Service ... <Service ... </Service> </Services> <Canonicalizations> ... </Canonicalizations> </LdapConfig>
- Add the optional <Tls> protection section as the first element of the configuration. This section is the global default for all configured services. For example:
<LdapConfig> !-- The default TLS configuration goes here. --> <Tls LdapClientTlsCACertDir="/etc/ssl/certs" LdapClientTlsReqCert="allow" LdapClientTlsCACert="/etc/ssl/certs.pem" LdapClientTlsCert="/etc/ssl/certs/client.pem" LdapClientTlsKey="/etc/ssl/certs/key.pem" LdapClientTlsRandFile="/dev/rndom" LdapClientTlsCipherSuite="!LOW"/>
If the TLS requirements vary among directory services, you can configure TLS separately for each <Service>, as shown in the next step. Also see Using TLS with a Directory Server. The settings for a service override the global settings. - Configure a <Service> element for each directory service. For example:
<Service Id="svc.div1root" LdapServerName="ldap://div1root/ ldap://tdgss/ ldap://wave/" LdapBaseFQDN="dc=div1rootdom,dc=div1dev,dc=corp" LdapServiceFQDN="cn=div1root,ou=services,dc=div1rootdom, dc=div1dev,dc=corp" LdapSystemFQDN="cn=end2end,cn=tdat,dc=div1rootdom, dc=div1dev,dc=corp" LdapServicePassword="password" LdapClientUseTls="no" LdapClientMechanism="simple"> <!-- Overrides to the default TLS configuration go here. --> LdapClientTlsReqCert="demand" LdapClientTlsCert="/home/mycert"/> </Service> <Service ... </Service> </Services>
Property Description Id="svc.div1root"
Uniquely names a directory service LdapServerName= ... LdapClientMechanism=
The list of LDAP properties that are required for the service, according to site needs. You only need to include properties with non-default values.LdapServicePassword="password" Set this property to the encrypted password created in step 4. LdapClientTlsReqCert="demand" LdapClientTlsCert="/home/mycert"/>
Optional TLS sub-section that contains values to override the defaults in the main TLS section, for this service only. - Use the tdspasswd tool to generate an encrypted password for the private key file.
# tdspasswd -s svc.div1root Enter New password: Confirm New password: ASfb+l7norNgJHZZBufEmRS=
where svc.div1root is the value specified for the Id property in the <Service> configuration shown in step 3.
When prompted by the tool, enter a password. The tool generates an encrypted version of the password, for example: ASfb+l7norNgJHZZBufEmRS=
- Enter the encrypted version of the password as the value of the LdapServicePassword property in the configuration shown in step 3.