openldap加密传输sssd

yum -y install openldap-clients sssd

authconfig --enablesssd --enablesssdauth --enableldap --enableldapauth --ldapserver=ldaps://master.local,ldaps://slave.local --ldapbasedn='dc=suntv,dc=tv' --enablelocauthorize --enableldaptls --enablemkhomedir  --update

下载服务器的ca证书

wget http://master.local/ca.crt -O /etc/openldap/cacerts/ca.crt

配置/etc/openldap/ldap.conf

TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/openldap/cacerts/ca.crt
TLS_REQCERT never

/etc/sssd/sssd.conf

cat > /etc/sssd/sssd.conf << _EOF_
[sssd]
services = nss, pam
config_file_version = 2
domains = ldap

[domain/ldap]
debug_level = 9
cache_credentials = True
enumerate = false

id_provider = ldap
auth_provider = ldap
chpass_provider = ldap

ldap_uri = ldaps://master.local,ldaps://slave.local
ldap_search_base = dc=suntv,dc=tv
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/openldap/cacerts/ca.crt
ldap_tls_reqcert = never
ldap_id_use_start_tls = false

entry_cache_timeout = 600
ldap_network_timeout = 2

[nss]
homedir_substring = /home
entry_negative_timeout        = 20
entry_cache_nowait_percentage = 50

filter_users = root
filter_groups = root

[pam]

[sudo]

[autofs]

[ssh]

[pac]
_EOF_

systemctl restart sssd
systemctl enable sssd