content:en_us:7_ug_openldap_directory
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision | |||
|
content:en_us:7_ug_openldap_directory [2018/10/04 10:11] nickh [Policies] |
content:en_us:7_ug_openldap_directory [2019/08/27 10:14] (current) nickh [Policies] |
||
|---|---|---|---|
| Line 25: | Line 25: | ||
| * The **Publish Policy** should be enabled if you have external applications accessing the directory, for example network-attached storage servers. | * The **Publish Policy** should be enabled if you have external applications accessing the directory, for example network-attached storage servers. | ||
| * Not Published - Accessible only from within ClearOS | * Not Published - Accessible only from within ClearOS | ||
| - | * Local Network - Accessible from LAN interfaces only. Access is using the ldaps on port TCP 636. | + | * Local Network - Secure (636) - Accessible from LAN interfaces only. Access is using <nowiki>ldaps://</nowiki> on port TCP 636. |
| - | * All Networks - Accessible from all interfaces. Access is using the ldaps on port TCP 636. | + | * Local Network - Non-secure (389/636) - Accessible from LAN interfaces only. Access is using either <nowiki>ldap://</nowiki> on port 389 or <nowiki>ldaps://</nowiki> on port 636. |
| + | * All Networks - Secure (636) - Accessible from all interfaces. Access is using the <nowiki>ldaps://</nowiki> on port 636. | ||
| + | * All Networks - Non-secure (389/636) - Accessible from all interfaces. Access is using either <nowiki>ldap://</nowiki> on port 389 or <nowiki>ldaps://</nowiki> on port 636. | ||
| + | <note warning>In the interest of security it is always better to use the secure <nowiki>ldaps://</nowiki> in preference to <nowiki>ldap://</nowiki>. As such it is unlikely that you will want to use the Non-secure options and it is not advised.</note> | ||
| + | |||
| + | <note tip>You can check to see which IP's and ports LDAP is listening on with<code>netstat -npl | grep slapd</code></note> | ||
| * The **Accounts Access** should be enabled if you have external applications requiring account information, for example adding the Global Address book feature in the Thunderbird mail client. | * The **Accounts Access** should be enabled if you have external applications requiring account information, for example adding the Global Address book feature in the Thunderbird mail client. | ||
| - | === ldap:// access from the LAN === | ||
| - | If you require ldap access on TCP port 389 (ldap:<nowiki>//</nowiki> as opposed to ldaps:<nowiki>//</nowiki>) from your LAN, edit /usr/libexec/openldap/prestart.sh and change line 35 to read: | ||
| - | <code>urls="$urls ldaps://$ip/ ldap://$ip/"</code> | ||
| - | then in Webconfig > Server > Directory > Directory Server, change the Publish Policy to Local Network. | ||
| - | |||
| - | <note warning>The problem now is that an update to the LDAP package could potentially overwrite this file. Overwriting can be blocked with the command: | ||
| - | <code>chattr +i /usr/libexec/openldap/prestart.sh</code>but if an LDAP package update needs to change this file for other reasons, it will not then be able to.</note> | ||
| - | |||
| - | === ldap:// access from all networks === | ||
| - | If you require ldap access on TCP port 389 (ldap:<nowiki>//</nowiki> as opposed to ldaps:<nowiki>//</nowiki>) for all networks, edit /usr/libexec/openldap/prestart.sh and change line 38 from: | ||
| - | <code>urls="ldap://127.0.0.1/ ldaps:///"</code> | ||
| - | to | ||
| - | <code>urls="ldaps:/// ldap:///"</code> | ||
| - | then in Webconfig > Server > Directory > Directory Server, change the Publish Policy to All Networks. This will restart slapd and add the ldap as well. | ||
| - | |||
| - | <note warning>The problem now is that an update to the LDAP package could potentially overwrite this file. Overwriting can be blocked with the command: | ||
| - | <code>chattr +i /usr/libexec/openldap/prestart.sh</code>but if an LDAP package update needs to change this file for other reasons, it will not then be able to.</note> | ||
| - | |||
| - | <note tip>You can check to see which IP's and ports LDAP is listening on with<code>netstat -npl | grep slapd</code></note> | ||
| ==== Directory Information ==== | ==== Directory Information ==== | ||
| General directory information is shown to help you connect external applications to the ClearOS directory. | General directory information is shown to help you connect external applications to the ClearOS directory. | ||
content/en_us/7_ug_openldap_directory.txt · Last modified: 2019/08/27 10:14 by nickh