Securing communication without auto-enrollment

If you are not using an Active Directory domain controller and auto‑enrollment for certificate distribution, you can manually configure the Centrify OpenLDAP proxy service to use the server certificate and private key you create.

The following steps summarize how you can manually configure the Centrify OpenLDAP proxy service to use certificates.

  1. Use CA.sh to create the certificates:

    /usr/share/centrifydc/ssl/misc/CA.sh -newca
    /usr/share/centrifydc/bin/openssl req -new -nodes -keyout newreq.pem -out newreq.pem
    /usr/share/centrifydc/ssl/misc/CA.sh -sign
  2. Install the certificates in the /etc/centrfydc/openldap directory.

    cp demoCA/cacert.pem /etc/centrifydc/openldap/cacert.pem
    mv newcert.pem /etc/centrifydc/openldap/servercrt.pem
    mv newreq.pem /etc/centrifydc/openldap/serverkey.pem
  3. Add the following lines to /etc/centrifydc/openldap/slapd.conf configuration file:

    TLSCACertificateFile /etc/centrifydc/openldap/cacert.pem
    TLSCertificateFile /etc/centrifydc/openldap/servercrt.pem
    TLSCertificateKeyFile /etc/centrifydc/openldap/serverkey.pem
  4. Add the following line to /etc/centrifydc/openldap/ldap.conf configuration file:

    TLS_CACERT /etc/centrifydc/openldap/cacert.pem
  5. Start the slapd deamon using the following:

    /usr/share/centrifydc/libexec/slapd -h "ldaps:///" 

    or

    sudo /usr/share/centrifydc/bin/centrify-ldapproxy start -h ldaps:///