In environments with an existing LDAP authentication infrastructure, it may be preferable to enable LDAP authentication on each Oracle VM Server instance, to control and log access attempts on Dom0. This can enhance security for a critical asset (Dom0) for the same reasons that make centralized user control valuable in other contexts.
The packages required to the LDAP client are not included on the Oracle VM Server ISO. Therefore, it is necessary to download and install the packages manually. This section describes the steps required to do this.
The required packages are available in the Oracle VM Server 3.3 installation ISO, and are available by default without any requirement to install. Manual configuration is still necessary.
Add the public or internal Yum repositories at the Oracle Linux 5u7 level. The most direct way to do this is to follow the instructions at http://public-yum.oracle.com/ for Oracle Linux 5:
# cd /etc/yum.repos.d # wget http://public-yum.oracle.com/public-yum-el5.repo
Install the required packages to enable LDAP authentication, as well as any dependencies:
# yum install openldap-clients # yum install nss_ldap
The installation prompts you to determine whether you wish to
proceed, to which you should respond by returning the
y
character to the prompt. The required
dependencies are also listed and downloaded. If you intend to
copy the package files and install them manually on your server
instances, take note of the listed dependencies and ensure that
these are also made available on each server where you intend to
install the LDAP client.
Once installation is complete, copy the server SSL/TLS
certificate to
/etc/openldap/cacerts/openldap.pem
. Make
sure the certificate has the right permissions:
# chmod 644 /etc/openldap/cacerts/openldap.pem
Rehash the CA certificates:
# cacertdir_rehash /etc/openldap/cacerts
Enable LDAP authentication using the authconfig command:
# authconfig-tui
Ensure that LDAP is configured correctly to access your LDAP server. Configuration is specific to your own environment and requirements and falls outside of the scope of this document, however the following example configurations may serve to assist you:
/etc/openldap/ldap.conf:
TLS_CACERTDIR /etc/openldap/cacerts BASE dc=example,dc=com URI ldap://ldapserver.example.com:389
/etc/ldap.conf:
ssl start_tls tls_cacertdir /etc/openldap/cacerts base dc=example,dc=com uri ldap://ldapserver.example.com:389 pam_password md5