starlingx/docs
Code Issues Proposed changes
47040fa69b
docs/doc/source/security/kubernetes/local-ldap-certificates-4e1df1e39341.rst
Ngairangbam Mili 93e265fbf3 Local/WAD ldap users sudo and local linux group assignment (stx 9.0) 
Added "sudo" and "sys_protected" privileges support for LDAP servers accessed using SSSD service

Story: 2010589
Task: 49410

Change-Id: Ia05edc04feb465c1b59a2a1e4cff26218b144788
Signed-off-by: Ngairangbam Mili <ngairangbam.mili@windriver.com>
2024-02-28 15:30:12 +00:00

53 lines
2.1 KiB
ReStructuredText
Raw Blame History

.. _local-ldap-certificates-4e1df1e39341:
=======================
Local LDAP Certificates
=======================
The local |LDAP| server by default serves both HTTPS on port 636 and HTTP on port 389.
The HTTPS server certificate is issued by cert-manager ClusterIssuer
``system-local-ca`` and is managed internally by cert-manager. The certificate
will be automatically renewed when the expiration date approaches. The
certificate is called ``system-openldap-local-certificate`` with its secret
having the same name ``system-openldap-local-certificate`` in the
``deployment`` namespace. The server certificate and private key files are
stored in the ``/etc/ldap/certs/`` system directory.
In |DC| system, the |LDAP| service runs only in the central cloud. Clients in
the subcloud (|SSSD|, |LDAP| client tools) are configured so that they can
access the |LDAP| services in the central cloud using HTTPS. Thus,
``system-local-ca`` ClusterIssuer's certificate is installed in the subcloud as
a trusted |CA| certificate.
The insecure HTTP service is only supported for backward compatibility with
subclouds running older versions of |prod| that supports only HTTP. If no such
subclouds are present, the insecure HTTP service can be disabled by system
service parameter.
Run the following command to disable the insecure service:
.. code-block:: none
~(keystone_admin)]$ system service-parameter-add identity local-openldap insecure_service=disabled
If the service parameter already exists, run the following command:
.. code-block:: none
~(keystone_admin)]$ system service-parameter-modify identity local-openldap insecure_service=disabled
The insecure service can be enabled if it has been disabled. Run the following
command to enable the insecure service:
.. code-block:: none
~(keystone_admin)]$ system service-parameter-modify identity local-openldap insecure_service=enabled
After disabling or enabling the insecure local-openldap service, for the change
to take effect, apply the service parameter by running the following command:
.. code-block:: none
~(keystone_admin)]$ system service-parameter-apply identity --section local-openldap
View Git Blame Copy Permalink