ID #1479

How do I connect to Bright's LDAP server from a non-Bright client?

Connecting to Bright Cluster Manager's LDAP server, from a client that is not managed by Bright.

This guide should work on BCM 7.3 and higher. It was written for a head node running Centos 7.6, and a client running a freshly-installed Centos 7.6. In case the operating systems differ, there may be variations in the commands used, but this document can still be used as a guide.

On the headnode:

1. Generate certificates for the external node. Use your own hostname instead of the “server2” used here:

[root@gg-c-07-15-b81-dev-c7u5 ~]# cd /tmp 

[root@gg-c-07-15-b81-dev-c7u5 tmp]# cm-component-certificate --generate=server2

2. Open the LDAP port in Shorewall. To do this, edit /etc/shorewall/rules. Typically you append the LDAP lines outside of the autogenerated section. The autogenerated section has tags like:





The LDAP lines can be:



ACCEPT net fw tcp 636

ACCEPT net fw udp 636


Shorewall should be restarted to activate the change:


[root@gg-c-07-15-b81-dev-c7u5 ~]# systemctl restart shorewall

3. Copy over the configuration files from one of the compute nodes. Replace the text "node001" which is used in the following example, with the correct node name for your case:

[root@gg-c-07-15-b81-dev-c7u5 tmp]# mkdir /tmp/ldapconf

[root@gg-c-07-15-b81-dev-c7u5 ~]# for i in /etc/pam.d/system-auth /etc/pam.d/password-auth /etc/nslcd.conf /etc/openldap/ldap.conf /etc/nsswitch.conf /root/.ldaprc; do scp node001:$i  /tmp/ldapconf; done 

On the external, non-Bright-managed server:

1. Append a line similar to the following in the /etc/hosts file. Replace the address that is used here just as an example, with the actual IP address of the head node that the non-Bright client is accessing in your case:


[root@server2 ~]# echo " localmaster master ldapserver" >> /etc/hosts

2. Check the LDAP port of the head node is reachable:

[root@server2 ~]# nc -zvw3 ldapserver 636

Ncat: Version 7.50 ( )

Ncat: Connected to

3. Install the necessary packages:

[root@server2 ~]# yum install nss-pam-ldapd openldap openldap-clients

4. Create a certs directory. This makes work easier as we don't have to modify conf files later:


[root@server2 ~]# mkdir -p /cm/local/apps/openldap/etc/certs/

Optional: Configure key-based authentication. It’s needed to avoid having to enter the root password multiple times when getting files from the head node:


[root@server2 ~]# ssh-keygen 

[root@server2 ~]# ssh-copy-id ldapserver

5. Copy over the certificates from the headnode into the certs directory:

[root@server2 ~]# cd /cm/local/apps/openldap/etc/certs/

[root@server2 certs]# scp ldapserver:/tmp/ldap* .

[root@server2 certs]# scp ldapserver:/cm/local/apps/openldap/etc/certs/ca.pem .

6. Add the LDAP user ldap to the /etc/passwd file. Make sure that the UID is not already used and that the GID is the ldap group's id (should be created by installed packages):

[root@server2 certs]# id nslcd

uid=65(nslcd) gid=55(ldap) groups=55(ldap)

[root@server2 ~]# echo "ldap:x:55:55:OpenLDAP server:/var/lib/ldap:/sbin/nologin" >> /etc/passwd

7. Set  the correct permissions:

[root@server2 ~]# chown -R ldap:ldap /cm/local/apps/openldap

[root@server2 ~]# chmod 440 /cm/local/apps/openldap/etc/certs/ldap.*

8. In case selinux is enabled, set  the correct labels:

[root@server2 certs]# semanage fcontext -a -t cert_t "/cm/local/apps/openldap/etc/certs(/.*)?"

[root@server2 certs]# restorecon -R -v /cm/local/apps/openldap/etc/certs/*

restorecon reset /cm/local/apps/openldap/etc/certs/ca.pem context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:cert_t:s0

restorecon reset /cm/local/apps/openldap/etc/certs/ldap.key context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:cert_t:s0

restorecon reset /cm/local/apps/openldap/etc/certs/ldap.pem context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:cert_t:s0

9. Make a backup of /etc/pam.d/

[root@server2 ~]# cp -pr /etc/pam.d/ /etc/pam.d.bkp 

10. Copy the configuration files from the head node. Note that it's useful to have certificates-based login configured in advance, otherwise you will have to enter the root password multiple times:

[root@server2 ~]# for i in /etc/pam.d/system-auth /etc/pam.d/password-auth /etc/nslcd.conf /etc/openldap/ldap.conf /etc/nsswitch.conf /root/.ldaprc; do scp ldapserver:/tmp/ldapconf/´basename "$i"´ $i ; done 

11. enable and restart the nslcd service on the external server:

[root@server2 ~]# systemctl enable nslcd.service 

[root@server2 ~]# systemctl restart nslcd.service 

12. Test the configuration with:

[root@server2 certs]# getent passwd <ldap user>

Tags: LDAP, non bright

Related entries:

You cannot comment on this entry