Copy CA cert onto server, in this example it goes into /tmp/YOUR_CACERT.pem, only pem files have been tested, others may work.
Add CA cert into DB (line requires a nickname, as well as the path to the cert copied onto the server)
certutil -d /etc/openldap/certs/ -A -n YOUR_CERT_NICKNAME -i /tmp/YOUR_CACERT.pem -t "TCu,TCu,TCu" |
Verify the cert is in the DB
[root@opmantek certs]# certutil -d /etc/openldap/certs/ -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI YOUR_CERT_NICKNAME CT,C,C |
Verify LDAP connectivity using ldapsearch, you will have to set -H, -b and -D, they can come from your current NMIS ms-ldap config if you have one: -b is auth_ms_ldap_base, -D is auth_ms_ldap_dn_acc:
# note, you will have to set -H, -b and -D ldapsearch -H ldap://ad-server.name.or.ip:389 -x -b "cn=eg,dc=egg,dc=com" -D "cn=OK,cn=EG,dc=egg,dc=com" -w 'password' -ZZ -d 9 # this will have a long string of stuff or end in an error, most likely about finding certificates |
Change NMIS Auth code to use certificate directory, note it's using LDAP instead of LDAPS and adds a new line with a new config item.
# /usr/local/nmis8/lib/Auth.pm (line 716 approx) # change $ldap = new Net::LDAPS($C->{'auth_ms_ldaps_server'}); # to $ldap = new Net::LDAP($C->{'auth_ms_ldaps_server'}, version => 3); my $mesg = $ldap->start_tls( capath => $C->{'auth_openldap_certs'} ); |
Modify configuration to use ms-ldaps and set new auth_openldap_certs path
'auth_method_1' => 'ms-ldaps', 'auth_ms_ldaps_server' => 'ad-server.name.or.ip', 'auth_openldap_certs' => '/etc/openldap/certs/', # this line is new 'auth_ms_ldap_attr' => 'sAMAccountName', 'auth_ms_ldap_base' => 'DC=corp,DC=shurely,DC=com,DC=nz' 'auth_ms_ldap_dn_acc' => 'LDAPRead', 'auth_ms_ldap_dn_psw' => 'SecurePassword123', |
Users.nmis will need to have an entry for each user who can authenticate or the default settings for a user will need to be set.